b'     REDACTED FOR PUBLIC RELEASE\n\n\n\n\nTHE DEPARTMENT OF JUSTICE\xe2\x80\x99S\nVICTIM NOTIFICATION SYSTEM\n\n\n        U.S. Department of Justice\n      Office of the Inspector General\n               Audit Division\n\n           Audit Report 08-04\n             January 2008\n\n\n\n\n     REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\n                     THE DEPARTMENT OF JUSTICE\xe2\x80\x99S\n                     VICTIM NOTIFICATION SYSTEM*\n\n                              EXECUTIVE SUMMARY\n\n      The Department of Justice (DOJ) Victim Notification System (VNS) is\nan automated system used by federal personnel to notify federal crime\nvictims regarding developments in their cases, including information about\nthe status of the investigation, prosecution, trial, incarceration, location, and\ncustody status of the offender related to the crime.\n\n       The VNS came online in October 2001 and as of October 5, 2007,\ncontained information on more than 1.5 million registered victims. The\nannual budget for the VNS has remained at approximately $5 million since\nfiscal year (FY) 2002. 1 Since work began on creating the system in FY 1998,\nthe VNS has cost a total of more than $38 million. The VNS is managed by\nthe Executive Office for United States Attorneys (EOUSA) and is used by all\nUnited States Attorneys Offices (USAO), the DOJ Criminal Division, the\nFederal Bureau of Investigation (FBI), the Federal Bureau of Prisons (BOP),\nand the United States Postal Inspection Service (USPIS).\n\n       In this audit, the Office of the Inspector General (OIG) examined the\nmanagement of the VNS, the effectiveness of the VNS for victims, and the\ninformation security of the system. In conducting this audit, we interviewed\npersonnel who managed the system, as well as personnel from agencies\ndirectly involved with the VNS. We analyzed victim-related data in the VNS\nand sent surveys to a sample of victims in the VNS. We also worked with a\ncontractor to perform a review of the VNS\xe2\x80\x99s information security. In\ngeneral, our audit covered the period from FY 1998 through FY 2007.\n\nResults in Brief\n\n     Our audit found that, overall, federal VNS users and victims we\nsurveyed were generally satisfied with VNS services. 2 However, we\n\n        * The full version of this report includes information that EOUSA considered to be\nsensitive, and therefore could not be publicly released. To create this public version of the\nreport, the OIG redacted (deleted) two appendices that were considered sensitive by\nEOUSA, and we indicated where those redactions were made.\n       1\n           Detailed information about VNS funding can be found in Appendix III.\n       2\n        Federal VNS users, such as FBI Victim Specialists and USAO Victim/Witness\nAdvocates, generally specialize in dealing with victims and victim issues and access the VNS\nto manage information that relates to cases in the control of their agency.\n\n\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n\n\nidentified weaknesses in certain areas. Specifically, we found that there are\nfew internal controls in place to ensure the accuracy and completeness of\ndata in the VNS. For example, 18 percent of the surveys we mailed to\nvictims considered to be active in the VNS were returned as undeliverable. 3\nOfficials from VNS-participating agencies also discussed with us similar\nproblems they have encountered with undeliverable correspondence.\n\n      We also determined that EOUSA has no schedule or written plans for:\n(1) increasing storage space on the VNS server, despite capacity having\nreached a level where system performance has been affected; (2) replacing\nVNS hardware, which is reaching the end of its usefulness; or (3) providing\nfor the continuity of VNS project management, which is currently\nconcentrated in a single position.\n\n      We also found that EOUSA is now in the process of expanding the\nnumber of agencies that participate in the VNS, although it had not\npreviously placed a priority on such expansion. In addition, EOUSA is\nworking on establishing a direct connection for the VNS to obtain court-\nevent data from the Administrative Office of the U.S. Courts (AOUSC).\nWhen developed, this interface will assist USAOs with notification of court\nproceedings.\n\n      As a result of victims\xe2\x80\x99 responses to our surveys indicating that they\nconsidered the custody status of defendants to be of high importance,\nEOUSA is now working to include such information, available from the\nUnited States Marshals Service (USMS), in the VNS.\n\n      Our review of VNS effectiveness revealed that many victim-respondents\nto our survey: (1) found VNS notifications to be generally understandable\nand useful, (2) obtained the information they desired from the VNS Call\nCenter, and (3) found the VNS website generally easy to use. 4 However,\n25 percent of active VNS victims who responded to our survey reported\nhaving no knowledge of the VNS or that their names were maintained in such\na system. The fact that a significant number of federal crime victims were\nunaware of the system was of concern to us. Another concern we identified is\nthat the contractor that maintains the VNS Call Center was not ensuring that a\nSpanish-speaking operator was on duty during all hours of operation, as\nrequired by the contract.\n\n      3\n         Victims who are considered to be \xe2\x80\x9cactive\xe2\x80\x9d in the VNS are those victims whose\ninformation is in the VNS and who are receiving VNS notifications.\n      4\n         The VNS Call Center consists of an automated, toll-free telephone response\nsystem, as well as operators who can provide case information to victims.\n\n\n                                    ii\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\n\n      We also found that a large percentage of victims had been removed\nfrom an active status in the VNS with no reason having been recorded for\ndoing so. Removing a victim from \xe2\x80\x9cactive\xe2\x80\x9d status means that he or she no\nlonger receives notifications about case-related events. That VNS does not\nrequire a participating agency to note a reason for \xe2\x80\x9cdeactivating\xe2\x80\x9d a victim, or\nestablish any other internal control, renders this critical step more difficult to\ncorrect if in error.\n\n       In addition to the management and effectiveness of the system, we\nalso evaluated the information security of the VNS. Using a private auditing\nfirm, we identified deficiencies with EOUSA\xe2\x80\x99s implementation of systems and\ncommunications protection controls, identification and authentication,\nwebsite privacy, security measures, and web application controls. These\ndeficiencies indicate that the sensitive information contained within the VNS\nwas not adequately protected against loss of confidentiality and the integrity\nand availability of data was not appropriately ensured.\n\n      Our report contains detailed information on the full results of our\nreview of the VNS. In this report, we made 19 recommendations to help\nEOUSA carry out its responsibilities in managing the system.\n\n       The remaining sections of this Executive Summary describe in more\ndetail the background of the VNS and our audit findings.\n\nBackground\n\n       The Victim and Witness Protection Act of 1982, the Victims of Crime\nAct of 1984, the Crime Control Act of 1990, the Violent Crime Control and\nLaw Enforcement Act of 1994, the Justice for All Act of 2004, and the\nAttorney General\xe2\x80\x99s (AG) Guidelines for Victim and Witness Assistance\nestablished various procedures to address the needs of victims of crime. 5\nEach of these contain a directive to ensure that victims are notified of\nsignificant stages and procedural developments in the criminal justice\nprocess. Notification means keeping victims aware of the status of an\ninvestigation of a crime, as well as the subsequent prosecution, trial,\nincarceration, location, and custody status of the offender related to the\ncrime.\n\n     Prompted by a memorandum issued by the Office of the Attorney\nGeneral, in July 2000 EOUSA entered into a contract with AT&T to create the\n\n      5\n          Detailed information regarding this legislation can be found in Appendix II.\n\n\n                                      iii\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nVNS and establish and staff a Call Center to assist federal and victim users\nof the VNS. Utilizing funds provided by DOJ\xe2\x80\x99s Office for Victims of Crime\n(OVC), EOUSA managed the development of the system. Field deployment\nof the VNS and Call Center operations began in October 2001, and the VNS\nwas fully operational by January 2002.\n\nHow the VNS Works\n\n       The VNS, a web-based application, receives data from automated case\nmanagement systems at the FBI, USAOs, the DOJ Criminal Division, the\nUSPIS, and the BOP. Specifically, the VNS receives downloads from the\nFBI\xe2\x80\x99s Automated Case Support (ACS) system, the USPIS\xe2\x80\x99s Inspection Service\nIntegrated Information System (ISIIS), the USAO\xe2\x80\x99s Legal Information Office\nNetwork System (LIONS), the DOJ Criminal Division\xe2\x80\x99s Automated Case\nTracking System II (ACTS II), and BOP\xe2\x80\x99s SENTRY system. Data transferred\nfrom the various systems includes the case number; victim, defendant, and\ninmate information; court events; and custody status updates. Notably,\nsome of the victim-related information that resides in the VNS is personally\nidentifiable information (PII), such as the names, addresses, and, in some\ncases, social security numbers of victims of federal crimes.\n\n      Victims in the VNS are notified of case events by letter, e-mail,\nfacsimile, or telephone when a particular event in a case occurs, such as a\nscheduled court date or the release of a prisoner. Initially, the system\nconsisted of the VNS, which federal VNS users access via a secure intranet\nconnection, and the Call Center, which is used by both federal VNS users\nand victims of federal crimes. However, VNS services were enhanced in\nFY 2005 based on a DOJ request to enhance the VNS by enabling victims to\naccess case information via the Internet. This resulted in the development\nof the Victim Internet System (VIS), which allows victims to have access to\na subset of VNS data via the Internet. The VIS database server, in which\nthe users\xe2\x80\x99 encrypted information is stored, is located at the Justice Data\nCenter.\n\n      The following graphic illustrates how the various component systems\nfeed into the VNS, as well as how victim users of the system obtain case-\nrelated information.\n\n\n\n\n                                 iv\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n\n                          INFORMATION FLOW IN THE VNS\n\n\n\n\nSource: VNS User Manual and the DOJ Criminal Division\n\n\nAudit Approach\n\n      The Office of the Inspector General (OIG) assessed EOUSA\xe2\x80\x99s\nmanagement of the VNS, the effectiveness of the VNS for victims, and the\ninformation security of the system. The objectives of the audit were to\ndetermine if: (1) EOUSA has effectively managed the VNS, including\noverseeing the contractors, ensuring the accuracy of data in the system, and\nplanning for the future; (2) the VNS is an effective tool for victims of crime;\nand (3) the VNS was properly secured to prevent unauthorized use, access,\nand data modification.\n\n      To accomplish our audit objectives, we conducted more than\n40 interviews with personnel from agencies directly involved with the VNS.\nTo help evaluate the VNS\xe2\x80\x99s effectiveness for victims, as well as the accuracy\nof data in the system, we obtained and analyzed victim-related data\nextracted from the VNS. We then designed, deployed, and analyzed the\nresults from surveys we sent to 2,762 victims whose status in the system\nwas \xe2\x80\x9cactive,\xe2\x80\x9d as well as 480 additional surveys sent to victims who were no\nlonger \xe2\x80\x9cactive\xe2\x80\x9d in the system. In addition, we obtained a test VNS victim-\nuser account and performed our own evaluation of various VNS services.\n\n                                     v\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n       We also spoke with headquarters officials from those federal agencies\nthat do not directly participate in the VNS to determine their knowledge of\nthe system and whether they have been contacted about direct participation\nin the VNS. We conducted fieldwork in Chicago and Lisle, Illinois; Lexington\nand Louisville, Kentucky; Kansas City and Leavenworth, Kansas; and Kansas\nCity, Missouri, where we spoke with senior management and staff who\nutilized the VNS at the local USAO, BOP, USPIS, and FBI offices. We also\nperformed a limited review of the contracted services that are provided and,\nin order to evaluate the VNS\xe2\x80\x99s information security, utilized a private\nauditing firm to perform an information security review of the VNS.\n\n     In general, the scope of our audit covered the period from FY 1998\nthrough FY 2007. Additional information about our audit scope and\nmethodology is contained in Appendix I.\n\nEOUSA Management of the VNS\n\n      Our audit determined that personnel from VNS-participating federal\nagencies, such as FBI Victim Specialists, were generally satisfied with\nservices provided by the VNS. However, weaknesses remain in how calls to\nthe VNS Call Center are tracked, the accuracy of data in the VNS, and the\nlong-term plans for the future of the system.\n\nData Accuracy\n\n       We found that there are few internal controls in place to ensure the\naccuracy and completeness of data in the VNS. According to the VNS\nProject Manager, the accuracy of information in the VNS is largely dependent\nupon what was provided or entered originally by the participating agency,\nand there is no process for routinely checking the accuracy of victim files in\nthe VNS. Yet, this means that victims whose contact information in the VNS\nis incorrect could be missing the opportunity to attend court events and be\notherwise updated on the status of their case. EOUSA told us that it is the\nvictim\xe2\x80\x99s responsibility to update all contact information. Victims can update\ntheir information by various methods, such as via the VNS website or by\ncontacting the USAO Victim-Witness Coordinator responsible for their case.\n\n      The lack of accurate contact information in the VNS was confirmed by\nour audit. Eighteen percent of the 2,762 victim surveys we mailed to victims\nactive in the VNS were returned to us as undeliverable mail. We were also\ntold by staff and officials from VNS-participating agencies about problems\nthey have encountered with undeliverable correspondence.\n\n\n\n                                 vi\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n       EOUSA officials acknowledged these issues, noted that they do not\nhave the resources to follow up on initial notifications, and said that EOUSA\nwas moving towards using the VNS website more than written notification\nletters. EOUSA officials also acknowledged that returned e-mail notifications\nwas an emerging issue, and that they were in the process of establishing a\nprotocol for identifying and getting information about undeliverable e-mail to\nparticipating agencies for action. Regardless of notification method, we\nbelieve that EOUSA should work with VNS-participating agencies to ensure\nthat contact information in the VNS is as accurate as possible so that, at the\nvery least, each victim receives an initial notification.\n\nArchiving Data and Replacing Hardware\n\n      According to contractor personnel, as well as EOUSA\xe2\x80\x99s FY 2007 budget\nrequest, storage space on the VNS server has been filled to almost\n80 percent of capacity. This has limited the speed at which data can be\naccessed and has become a bottleneck in the system. Additionally, much of\nthe VNS\xe2\x80\x99s equipment is coming to the end of its useful life span and is in\nneed of replacement. Although the VNS contract requires the contractor to\narchive VNS data periodically based on specific criteria, no VNS records have\never been archived and there are no current plans in place to do so.\n\n       During our audit, we discussed these issues with EOUSA and, in\nAugust 2007, EOUSA officials informed us that they plan to replace the\nexisting equipment with new equipment that will resolve the capacity issue\nand the need to archive or remove data from being accessible online.\n\nOutreach to Other Federal Agencies\n\n      In addition to all USAOs, only the FBI, the USPIS, the BOP, and the\nDOJ Criminal Division connect directly to the VNS. However, all investigative\nagencies are mandated to perform victim notifications during the\ninvestigative phase. Therefore, those federal investigative agencies who do\nnot participate in the VNS, such as the United States Secret Service (USSS)\nand the Internal Revenue Service (IRS), must provide victims information\nduring the investigative phase of a case on their own. Once they submit\ncases to a USAO, however, the USAO then \xe2\x80\x9ctakes over\xe2\x80\x9d the notification\nprocess via an upload of information to the VNS.\n\n      EOUSA officials stated that their outreach efforts have been focused on\nthose agencies whose cases involve the most victims. As shown in the\nfollowing graphic, the FBI and the USPIS, by far, have the most (79 percent)\nvictims in the VNS.\n\n\n                                vii\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                             REDACTED FOR PUBLIC RELEASE\n\n  900,000\n\n               815,993\n  800,000\n\n\n                                                                        VICTIMS IN THE VNS\n  700,000\n                                                                    BY INVESTIGATIVE AGENCY\n                                                                       (as of October 5, 2007)\n  600,000\n\n                                                                      1,564,667 Total Victims\n  500,000\n\n                          421,184\n  400,000\n\n\n\n  300,000\n\n\n\n  200,000\n\n\n                                                                                                           102,452\n  100,000                              79,811\n                                                      57,587\n                                                                       30,862   29,261      27,517\n      -\n                 FBI       USPIS    Secret Service   All Internal       BOP       FDA    All Other Labor   All Other\n                                                      Revenue\n\n                                      Source: OIG analysis of VNS data\n\n\n       In response to our discussions regarding other agencies that could\npossibly connect with the VNS, EOUSA officials advised us of their plans to\ncreate a universal, web-based interface with the VNS that could be utilized\nby all investigative agencies. We believe that this interface would be a\nuseful step towards consolidating victim notifications throughout the federal\ngovernment.\n\n       In addition to information about the investigative phase of a case, the\nVNS also provides notifications of court events, such as a competency\nhearing being held or a guilty plea being entered. 6 However, data related to\ncourt events is maintained by the Administrative Office of the U.S. Courts\n(AOUSC). In order for this data to make it into the VNS, it must first be\nobtained from the AOUSC and then manually entered into the USAO case\nmanagement system by personnel at individual USAO offices. It is then\nuploaded from the USAO case management system to the VNS. During the\ncourse of our audit, EOUSA officials informed us of a plan to create an\ninterface by which AOUSC data could be electronically passed to the VNS,\nthereby eliminating the time-consuming data-entry process, with its\npropensity for human input error.\n\n          6\n              A complete list of VNS notifications can be found in Appendix IV.\n\n                                         viii\n                             REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n\n\n\n      In August 2007, EOUSA officials provided us with a copy of a signed\nMemorandum of Agreement (MOA) between EOUSA and the AOUSC to\ndevelop an interface between the two systems, and noted that the agencies\nare working together to connect the systems.\n\nVNS Project Management and Succession Planning\n\n      Since its inception, the VNS has been managed by a single project\nmanager, an Assistant United States Attorney based in Kansas City, Kansas.\nEOUSA has no formalized succession plan to continue management of the\nVNS should anything happen to key personnel. After discussing this issue\nwith EOUSA, EOUSA officials informed us that they are developing a\nsuccession plan that will address any contingency issues for VNS project\nmanagement.\n\nVNS Effectiveness\n\n      To gauge the effectiveness of the VNS in notifying victims of certain\nkey events, we interviewed federal VNS users and Call Center personnel,\nused a VNS test user account to assess VNS services from a victim\xe2\x80\x99s\nperspective, and conducted a survey of victims considered to be active in the\nVNS, as well as a survey of victims who had been \xe2\x80\x9copted-out\xe2\x80\x9d (deactivated)\nof the VNS.\n\n      For our survey of those victims active in the VNS, we mailed out\n2,783 surveys and received 691 responses. We reviewed these responses\nand determined that 531 of the 691 responses we received were valid and\ncould be used for additional analysis. For our survey of those victims who\nhad been \xe2\x80\x9copted out\xe2\x80\x9d of the VNS, we mailed out 489 surveys, received\n58 responses, and determined that 44 of these responses could be used for\nfurther analysis. 7\n\n      Overall, we found that many active victim survey respondents found\nthe notifications to be understandable and useful to some degree. However,\nwe identified areas in which we believe EOUSA could improve the services\nthe VNS provides to victims.\n\n\n\n\n      7\n          A more detailed description of our survey methodology for our survey of victims\nactive in the VNS can be found in Appendix VII. Our survey methodology for our survey of\n\xe2\x80\x9copted-out\xe2\x80\x9d victims can be found in Appendix VIII.\n\n\n                                    ix\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n\n\nVictim Notifications\n\n      Twenty-five percent of the active victim respondents to our survey\nindicated that they did not know about the VNS or that they were included in\nthe VNS as a victim, that they had no idea why they had received our\nsurvey, or that our survey was the first piece of correspondence they had\nreceived regarding the VNS. Moreover, according to the VNS data, these\nrespondents had each been sent an average of 18 notifications, and the\nnumber of notifications sent to these victims ranged between 1 and 160.\n\n       These responses indicate that the VNS is not as effective as it could be\nat notifying victims of case events. A significant number of federal crime\nvictims have no knowledge of the system and are not receiving notifications\nfrom the VNS. In addition to the statutory requirement that victims be\nnotified of events that occur in their cases, we believe it also important that\nEOUSA ensure that victims: (1) are aware that they qualify as victims of a\nfederal crime, (2) are aware that their personal information is contained\nwithin the VNS, and (3) have been afforded the opportunity to decide\nwhether they wish to receive notifications of events that occur within their\ncases.\n\n      We spoke with EOUSA officials about this issue, and they\nacknowledged that there is no formal follow-up process to ensure that\nvictims receive notifications from the VNS. However, these officials\nexpressed the belief that performing follow-up on letters would be overly\nburdensome on participating agency personnel and noted that EOUSA was\nmoving towards using the VNS website more than written notification letters.\n\n       We believe that the purpose of the VNS is not always fulfilled by\nsimply ensuring that notifications are sent out. Rather, we believe it is\nincumbent upon EOUSA to seek to ensure that as many victims as possible\nreceive notifications. We recommend that the EOUSA work with VNS-\nparticipating agencies to develop procedures for ensuring victim contact\ninformation is current and undeliverable correspondence is pursued to help\nensure victims receive case-related notifications from the VNS.\n\nThe Victim Internet System\n\n      The Victim Internet System (VIS) is a web-based application that\nallows victims to have access to a subset of VNS data related to their case\nvia the Internet. We evaluated VIS services using a test victim account and\nincluded questions about the VIS in our survey of victims active in the VNS.\n\n\n\n                                    x\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\n       Accessing the VIS\n\n       In response to our survey, only 98 of the 531 victims who returned\nvalid responses indicated that they accessed the VIS to review their case\ninformation. 8 We believe that EOUSA should be concerned about this\nrelatively low 18-percent usage rate, considering that EOUSA officials\ninformed us on several occasions that they prefer that victims utilize the VIS\nto obtain case information and that they have attempted to encourage its\nuse.\n\n       The majority of our respondents who indicated that they utilized the\nVIS found it at least somewhat easy to set up their VNS account. However,\nother respondents commented on difficulties with the process they\nencountered. Our own review of the VIS using our test victim account also\nidentified certain aspects in the process that could be confusing for victims,\nincluding problems with terminology. We spoke with EOUSA officials about\nthese issues, and they responded that they will work to explain VIS\nprocedures in more detail for victims.\n\n       Ease of Navigation, Comprehension, and Usefulness\n\n      More than 80 percent of the survey respondents stated that navigating\nor locating information on the VIS was at least somewhat easy. Additionally,\nmost respondents found the information on the VIS to be both\ncomprehensive and useful.\n\n       Restitution\n\n       On several occasions during our audit, EOUSA officials told us that\npersonnel who worked with victims were often asked questions related to\nrestitution. 9 We therefore included questions in our survey related to\nrestitution information available on the VIS. We found that 40 percent of\nour respondents had accessed the VIS to obtain that information. Of those\nrespondents, 57 percent were dissatisfied or extremely dissatisfied with the\nrestitution information they received from the VIS. This analysis is shown in\nthe following chart.\n\n\n\n       8\n         We conducted all of our analyses related to the VIS on this universe of\n98 respondents who indicated that they accessed the VIS to review case information.\n       9\n          According to information on the VIS, restitution is defined as a court order\ndirecting the defendant to pay a fixed amount of money to the victim in order to\ncompensate the victim for loss incurred as a result of the crime.\n\n                                      xi\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\n\n       How satisfied were you with the restitution information you received?\n                                       No Response\n                                            2\n\n\n\n\n                                                     Satisfied - Extremely\n                                                           Satisfied\n                                                               15\n                         Dissatified - Extremely\n                              Dissatified\n                                    22\n\n\n\n\n                     Source: OIG survey of victims active in the VNS\n\n      Several provided additional comments about their dissatisfaction with\nthe amount of restitution information available. We also used our test victim\naccount to review restitution information provided in the VIS and found that\nthe language for restitution in the VIS was not clearly written.\n\n       We discussed with EOUSA officials the possibility of providing more\nrestitution information to victims on the VIS. While these officials initially\nnoted that providing this information to victims is not required, in\nAugust 2007 EOUSA officials stated that they will clarify the information\nregarding restitution that is provided to victims on the VIS.\n\nThe VNS Call Center\n\n       The VNS Call Center consists of an automated, toll-free telephone\nresponse system, as well as operators who can provide case information to\nvictims. The automated system generates computerized voice readings of\nnotifications, while operators are able to provide victims answers to a limited\nnumber of questions and direct them to points of contact for additional\ncase-related information. Call Center operators also provide information to\nfederal VNS users.\n\n\n\n\n                                  xii\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n\n\n      We found that of the active victim survey respondents, 11 percent had\ncalled the toll-free number. We then conducted separate analyses on those\nvictims who had utilized the automated response and those who had utilized\nthe operator assistance. 10\n\n       Call Center Automated Assistance\n\n      In total, we found that 37 (65 percent) of the 57 victims using Call\nCenter services utilized automated assistance. As shown in the following\nchart, when we analyzed responses from these 37 victims, we found that\n15 (41 percent) never or rarely received information, while 12 (32 percent)\nalways or often received information.\n\n                      Did you receive the information you wanted\n                             from the automated system?\n\n\n\n\n                                  No Response\n                                       5            Always\n                                                       7\n\n\n\n\n                             Never                           Often\n                               9                               5\n\n\n\n                                                     Sometimes\n                                                        5\n                                         Rarely\n                                           6\n\n\n\n\n                        Source: OIG survey of victims active in the VNS\n\n\n      As shown in the following chart, when we reviewed responses from\nthese same 37 victims regarding the ease with which they were able to\naccess information using the automated system, we found that most found\nthe automated system at least somewhat easy to use.\n\n\n\n       10\n           As part of our analysis, we found that 15 victims had utilized both automated and\nlive Call Center assistance. We included these 15 victims in our analyses of each of these\ntypes of assistance in order to capture all of the victims utilizing a particular type of\nassistance.\n\n                                    xiii\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n       How easy is it to access information through the automated system?\n\n\n                                 No Response\n                                      5\n\n                                                   Very Easy &\n                                                      Easy\n                                                        13\n                           Not Easy & Not\n                             Easy at all\n                                 11\n\n\n                                            Somewhat Easy\n                                                 8\n\n\n\n\n                    Source: OIG survey of victims active in the VNS\n\n\n      We also used our test victim account to evaluate the Call Center\xe2\x80\x99s\nautomated assistance and identified some potentially confusing aspects,\nincluding uncertainty about what functions pressing certain buttons on the\nphone would accomplish. We also found that more case information was\navailable to us on the VIS than via the automated assistance.\n\n      Overall, while the automated assistance appears to be relatively easy\nto use, it can prove challenging and does not always provide the desired\ninformation to victims, nor does it provide as much information as does the\nVIS. We believe it would be worthwhile for EOUSA to make the automated\nassistance more user-friendly for victims.\n\n     Call Center Operator Assistance\n\n      As noted earlier, the Call Center\xe2\x80\x99s operator assistance is able to\nprovide victims only a limited amount of information. Specifically, according\nto Call Center staff, EOUSA has specified that Call Center operators can\nprovide information on 10 case-specific areas. If victims require information\noutside of these areas, the Call Center staff tells them who to contact for\nfurther information.\n\n      Through our analyses, we found that 35 of the 59 victims who utilized\nCall Center services had utilized operator assistance. As shown in the chart\nthat follows, when we analyzed the responses from these 35 victims, we\ndetermined that 16 of them always or often received the information they\nwanted from the live assistance.\n\n\n\n                                xiv\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n                  Did you receive the information you wanted?\n                       (from Live Call Center Assistance)\n\n\n\n                                No Response\n                                     5\n\n\n\n\n                         Never & Rarely          Always & Often\n                               6                      16\n\n\n\n\n                                   Sometimes\n                                      8\n\n\n\n\n                     Source: OIG survey of victims active in the VNS\n\n\n       Despite this relatively positive response, 17 respondents who had\nutilized the assistance indicated that they were dissatisfied because: (1) the\nsystem lacked restitution information; (2) case or defendant custody\ninformation was not updated; and (3) the system did not contain, in general,\nenough information and assistance.\n\n       When we used our test victim account to evaluate the operator\nassistance, we identified several additional issues, such as the fact that a\nvictim can only select to speak with a live operator at the beginning of a call.\nSpecifically, if a caller does not immediately select that option (perhaps\nbefore the caller has received much information or had the time to develop\nquestions), the caller must hang up, call back, and select to speak with a\nlive operator at the outset of the call. We also found that the Call Center\nhad only one Spanish-speaking operator on staff, who cannot cover every\nhour of every day the Call Center is in operation. This contradicts the VNS\ncontract, which specifies that a victim must have the option of speaking\ndirectly with a Call Center operator to obtain case information in either\nEnglish or Spanish.\n\n       We discussed these issues with EOUSA officials in June 2007. In\nAugust 2007, EOUSA officials informed us that they had notified the\ncontractor of the requirement for a Spanish-speaking operator to be on duty\nduring all Call Center operating hours. As a result, according to EOUSA\nofficials, the contractor is now planning to add another Spanish-speaking\noperator to the Call Center.\n\n                                 xv\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\nAvailability of Custody Status Data\n\n      In our survey of victims active in the VNS, we found that respondents\nconsidered custody status information to be very important. As depicted in\nthe following chart, more than 70 percent (375 out of 531) of respondents\nindicated that knowing the custody status of the defendant was important to\nthem.\n\n    How important is it for you to know the custody status (incarcerated or not\n           incarcerated) of the defendant(s)/inmate(s) in your case?\n\n\n                       Important-Extremely\n                           Important\n                               375\n\n\n\n\n                                             Not Important\n                                                  121\n\n\n\n\n                                                                  No Response\n                                                                       35\n\n\n                     Source: OIG survey of victims active in the VNS\n\n\n      The Attorney General Guidelines for Victim and Witness Assistance\nmandate that DOJ agencies notify victims of the release or escape of an\noffender or suspected offender. However, USAOs do not consistently enter\ndefendant custody status information into the VNS during the prosecutorial\nphase. In addition, although the USMS maintains custody status information\non offenders, it is not connected to the VNS and had not been approached to\ndo so.\n\n      We discussed these issues with EOUSA officials, who agreed that they\nhad not taken action to include in the VNS information from the USMS on\ndefendant custody status. In August 2007, EOUSA officials advised us that\nproviding custody status information to victims would be a priority and that\nthey were coordinating with the USMS about this issue.\n\n                                 xvi\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\nVictims No Longer Active in the VNS\n\n      Certain victims have been removed from an active status, or \xe2\x80\x9copted-\nout\xe2\x80\x9d of the system. A victim can choose to be opted-out of the VNS or be\nopted-out by a federal user because of an invalid address or if the person is\nno longer considered to be a victim. While the VNS contains a field that\nrecords the reason a victim is opted-out of the system, it is not mandatory\nthat a federal user populate this field when opting out a victim.\n\n      We analyzed VNS data provided by EOUSA and found that\n164,493 victims were opted-out of the system between the VNS\xe2\x80\x99s inception\nin October 2001 and September 20, 2006. As depicted in the following\ntable, when we further analyzed the data, we found that 32 percent of these\nvictims had been opted-out with no reason given.\n\n                      VICTIMS OPTED-OUT OF THE VNS\n                    October 2001 to September 20, 2006\n                                 Number of\n         Opt-Out Reasons        Registrants          Percentage\n         Contact Choice                 4,144               3%\n         Invalid Address               79,597              48%\n         User Choice                   28,486              17%\n         No Longer a Victim                17              <1%\n         No Reason Given               52,249              32%\n         Total                       164,493              100%\n         Source: OIG analysis of VNS data\n\n\n      This large overall percentage of victims opted-out with no reason\nprovided is troubling because there is no easy way to evaluate whether that\nvictim was opted-out for a valid reason.\n\n      Survey of Opted-out Victims\n\n      As previously noted, in addition to our survey of victims active in the\nVNS, we also conducted a survey of opted-out victims. To maximize our\nresponse rate, we limited our universe to those victims opted-out of the VNS\nduring the previous 2 full fiscal years prior to the survey, thus isolating\n71,179 victims who were opted-out during FYs 2005 and 2006.\n\n      We developed a sample and sent our survey to 480 victims and\nreceived 58 responses, a relatively low 12-percent response rate. Overall,\nbased on this relatively low overall response rate, including 203 surveys that\nwere returned as undeliverable, our survey of opted-out victims did not\nprovide clear evidence about why victims opt-out of the system.\n\n                                  xvii\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\n\nVNS Information Security\n\n       During the course of our audit, we determined several attempted\nelectronic break-ins to the VNS had occurred and that some recommended\nsecurity patches for the system had not been installed because the patches\nhad not been approved by EOUSA. After discussing these issues with EOUSA\nofficials, we determined that the sensitive nature of the personally\nidentifiable information (or PII) in the VNS \xe2\x80\x93 such as names, contact\ninformation, and social security numbers \xe2\x80\x93 as well as the possible\nconsequences of failing to adequately protect it, warranted a more in-depth\nreview of the VNS\xe2\x80\x99s information security. Therefore, the OIG contracted\nwith outside auditors, Urbach, Kahn, & Werlin, LLP (UKW), to conduct an\nindependent assessment to determine whether the VNS information security\nand privacy policies comply with government standards and established best\npractices. 11\n\n       As a result of this assessment, we identified deficiencies with EOUSA\xe2\x80\x99s\nimplementation of systems and communications protection controls,\nidentification and authentication, website privacy, security measures, and\nweb application controls. These deficiencies indicate that the sensitive\ninformation contained within the VNS was not adequately protected against\nloss of confidentiality and the integrity and availability of data was not\nappropriately ensured. Moreover, because of these issues the VNS may be\nsusceptible to unauthorized use, access, or data modification.\n\nSystems and Communications Protection Controls\n\n      Systems and communications protection controls prevent unauthorized\nand unintended information transfer between different elements within the\nsame system. We identified weaknesses in transmission integrity and data\nvalidation.\n\n      Transmission integrity and data validation are used to check the\ncompleteness and accuracy of data entered into a system. We reviewed these\ncontrols for agencies that transmit data into the system and found that while\nEOUSA is encrypting data received from the USAOs, the DOJ Criminal\nDivision, and the USPIS, it is not doing so for the FBI and the BOP.\nAdditionally, EOUSA did not always ensure the completeness or accuracy of\ndata files received from the BOP and the FBI. Because EOUSA is not\nperforming these functions, it does not have the ability to detect or prevent\n\n       11\n           In this section of our report, \xe2\x80\x9cwe\xe2\x80\x9d and \xe2\x80\x9cour\xe2\x80\x9d refer to the auditors working under\nthe direction of the OIG.\n\n                                     xviii\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\nthe alteration of transmitted data. When we spoke with EOUSA officials about\nthis issue, they acknowledged these deficiencies and said they were currently\ndiscussing the implementation of complete session encryption for BOP and FBI\ndata.\n\nIdentification and Authentication\n\n      Identification and authentication controls ensure that users\xe2\x80\x99 identities\nare verified before they can connect to the system. A system security plan,\nwhich is designed to provide an overview of the security requirements of the\nsystem and describe the controls in place, commonly contains this information\nfor users. Moreover, these plans are necessary for certification, accreditation,\nand authorizing a system to operate. We found that the VNS system security\nplan contained inaccurate information and had not been updated with the\ncorrect procedural information, contact information, and process of\nauthenticating users. This lack of an updated system security plan could\nresult in an inaccurate or incomplete depiction of the VNS\xe2\x80\x99s system security\nand control environment, meaning that the certification and accreditation\ndocument is being approved based upon out-of-date information.\n\nWebsite Privacy\n\n       Website privacy controls protect data collection and PII and include\nexternal linking policies. These controls inform users when they are about to\nvisit a third-party website so that users know that they will no longer be\nprotected by the privacy policies of the current site once they utilize a\nhyperlink to navigate to another website. We reviewed the VIS\xe2\x80\x99s external\nlinking policies and found that the VIS does not provide such a disclaimer\nnotification to users, meaning that victims who utilize the hyperlink may be\nunaware that differing privacy policies are in effect. DOJ policy specifies that\na disclaimer statement informing users that they will no longer be protected\nby DOJ privacy policies must be provided.\n\nVIS Web Application Controls Testing\n\n       Testing web application controls helps to identify vulnerabilities and\nrisks that can result in the loss of confidentiality, integrity, and availability of\ndata. We utilized commercially available software tools to evaluate the VIS\xe2\x80\x99s\nweb application security and identified the following vulnerabilities:\n\n   \xc2\x83   The VIS may allow manipulation within a web application, which can\n       exploit security issues.\n\n\n\n                                  xix\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n  \xc2\x83   The configuration of the VIS allows for the possibility that users could\n      bypass the entry of usernames and passwords of linked web pages.\n      As a result, individuals could gain access to unauthorized information.\n\n  \xc2\x83   The application may be vulnerable to attacks that can allow malicious\n      users to retrieve data or alter server settings.\n\n  \xc2\x83   The VNS server configuration allowed for access to common default\n      directories, which often contain exploitable vulnerabilities.\n\n  \xc2\x83   The VNS uses a computer language, JavaScript, which has certain\n      risks inherent to its use.\n\n  \xc2\x83   The potential existed for unauthorized users to access web server\n      administrative interfaces and thereby gain access to web server\n      administrative functions.\n\n  \xc2\x83   The VNS is susceptible to an attacker using web server software to\n      access data in an unauthorized directory. Moreover, the execution of\n      arbitrary commands and code by an attacker may be possible.\n\n      We consider the vulnerabilities found in the VIS web application\ncontrols to be significant because the system contains PII. We therefore\nrecommend EOUSA take the necessary steps to improve its website security\nand eliminate these vulnerabilities.\n\nThe VNS Vulnerability Assessment\n\n      We also performed a vulnerability assessment to identify the security\ncontrols implemented for the VNS environment. We compared the VNS\xe2\x80\x99s\ncurrent security controls to DOJ\xe2\x80\x99s standards and identified vulnerabilities\nwithin three areas.\n\n      \xe2\x80\xa2     Unnecessary or Vulnerable Service \xe2\x80\x93 We found unnecessary or\n            vulnerable services operating on the VNS, which if not properly\n            secured or disabled, could be exploited to launch attacks against\n            the system\xe2\x80\x99s infrastructure.\n\n\n\n\n                                xx\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n\n\n       \xe2\x80\xa2      Patch Management \xe2\x80\x93 We found that EOUSA did not always apply\n              application and server patches in a timely manner. 12\n              Specifically, EOUSA had not applied several patches that had\n              been available since 2002 and 2005, which, in essence, allowed\n              a known vulnerability to continue to exist. This made the VNS\n              susceptible to a disruption of its operations.\n\n       \xe2\x80\xa2      Network Device and Server Security \xe2\x80\x93 Due to EOUSA\xe2\x80\x99s\n              management of the VNS\xe2\x80\x99s device settings and configurations,\n              the VNS may be susceptible to unauthorized use, access, or data\n              modification of system configuration and password files.\n\nConclusion\n\n      Since VNS began in FY 2002, it has grown to contain information on\nmore than 1 million federal crime victims. While creating such a system that\nwas designed to provide notifications to so many individuals is an impressive\nachievement, we found certain areas in which VNS operations could be\nimproved.\n\n      In terms of EOUSA\xe2\x80\x99s management of the VNS, we found that federal\nVNS users were generally satisfied with services provided by the VNS.\nHowever, weaknesses remain in the VNS Call Center\xe2\x80\x99s automated and Call\nCenter assistance, the accuracy of data in the VNS, and the long-term plans\nfor the future of the system. While EOUSA has taken proactive steps to\naddress some of these issues after we brought them to its attention, other\nissues remain, and we recommend that EOUSA address these issues in the\nsame manner.\n\n      We attempted to gauge the effectiveness of the VNS in notifying\nvictims by conducting surveys of both active victims and those who have\nbeen opted-out of the system, as well as by using a test victim account to\nevaluate Call Center and VIS services. Our survey of those victims active in\nthe VNS indicated that many of them found notifications to be\nunderstandable and useful to some degree. However, we identified areas in\nwhich VNS-related services could be improved. Most notably, a quarter of\nour respondents indicated they did not know about the VNS or that they\nwere included in the VNS as a victim, that they had no idea why they had\nreceived our survey, or that our survey was the first piece of correspondence\n\n       12\n           Patches are developed by software manufacturers following the identification of\nexploitable system security weaknesses. Patch management is the process of controlling\nthe deployment and maintenance of interim software releases into a system\xe2\x80\x99s environment\nand is used to maintain operational efficiency and effectiveness, overcome security\nvulnerabilities, and maintain the stability of the system\xe2\x80\x99s environment.\n\n                                    xxi\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\nthey had received regarding the VNS. Additionally, although EOUSA\nencourages victims to use the VNS website, only a small percentage of our\nrespondents utilized it to obtain information about their cases. As with\nmanagement of the system, EOUSA has already begun to implement\ncorrective action to address these issues, and we recommend that it\ncontinue to do so.\n\n      Our information security review of the VNS identified several areas of\nconcern, including weaknesses in systems and communications protection\ncontrols, identification and authentication controls, and web application\ncontrols. We believe that it is important that EOUSA work to address these\nvulnerabilities since the VNS contains PII on over 1 million victims of federal\ncrimes.\n\n      As noted, according to EOUSA, it has already begun to implement\ncorrective action to address some of the weaknesses we have identified.\nAdditionally, to further assist EOUSA in the improvement of the VNS, we\nmake 19 recommendations for EOUSA to improve the VNS, such as\ndeveloping an interface to connect all relevant federal agencies to the VNS,\nformalizing long-term plans for the system and its management, improving\ncertain facets of Call Center services, ensuring that a reason must be\nrecorded in order to opt-out a victim from the VNS, and addressing the\nvulnerabilities identified during the information security review of the VNS.\n\n\n\n\n                                 xxii\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\n                  THE VICTIM NOTIFICATION SYSTEM\n                         TABLE OF CONTENTS\n\nINTRODUCTION ................................................................................ 1\n  Establishment and Funding of the VNS ................................................ 1\n  How the VNS Works.......................................................................... 4\n  VNS Oversight ................................................................................. 7\n  OIG Audit Approach .......................................................................... 7\nFINDINGS AND RECOMMENDATIONS.............................................. 10\nI. EOUSA MANAGEMENT OF THE VNS .............................................. 10\n  The VNS Contract ........................................................................... 10\n  Accuracy of VNS Information ........................................................... 14\n  The Future of the VNS..................................................................... 17\n  Conclusion..................................................................................... 23\n  Recommendations .......................................................................... 24\nII. THE VNS\xe2\x80\x99s EFFECTIVENESS FOR VICTIMS .................................. 26\n  Background ................................................................................... 26\n  VNS Active Victim User Satisfaction .................................................. 26\n  Victims No Longer Active in the VNS ................................................. 45\n  Conclusion..................................................................................... 48\n  Recommendations .......................................................................... 50\nIII. REVIEW OF VNS INFORMATION SECURITY .............................. 51\n  Background ................................................................................... 51\n  Objectives, Scope, and Methodology of Review ................................... 51\n  Overview of Information Security Controls Review Results ................... 52\n  Conclusion..................................................................................... 59\n  Recommendations .......................................................................... 59\nSTATEMENT ON INTERNAL CONTROLS............................................ 61\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS ...... 62\nAPPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY ............... 63\nAPPENDIX II: LAWS, REGULATIONS, AND MANDATES ENACTED\n               FOR VICTIMS OF CRIME ...................................... 66\nAPPENDIX III: FUNDING THE VNS................................................. 72\nAPPENDIX IV: TYPES OF NOTIFICATIONS ..................................... 74\nAPPENDIX V: OFFICE OF THE INSPECTOR GENERAL\n              OPT-IN SURVEY.................................................... 79\n\n\n\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\nAPPENDIX VI: OFFICE OF THE INSPECTOR GENERAL\n               OPT-OUT SURVEY................................................ 94\nAPPENDIX VII: OPT-IN SURVEY SCOPE, METHODOLOGY,\n                AND RESPONSE REVIEW.................................... 96\nAPPENDIX VIII: OPT-OUT SURVEY SCOPE AND METHODOLOGY .... 98\nAPPENDIX IX: OPT-IN SURVEY QUESTION 41 ............................... 99\nAPPENDIX X: THE VICTIM NOTIFICATION SYSTEM\xe2\x80\x99S\n              VULNERABILITY ASSESSMENT RESULTS ............ 101\nAPPENDIX XI: THE VICTIM INTERNET SYSTEM\xe2\x80\x99S WEB\n               APPLICATION TESTING RESULTS...................... 102\nAPPENDIX XII: EXECUTIVE OFFICE FOR UNITED STATES\n                ATTORNEYS RESPONSE ................................... 103\nAPPENDIX XIII: OFFICE OF THE INSPECTOR GENERAL\n                 ANALYSIS AND SUMMARY OF ACTIONS\n                 NECESSARY TO CLOSE THE REPORT ............... 112\n\n\n\n\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                          REDACTED FOR PUBLIC RELEASE\n\n\n\n                                    INTRODUCTION\n\n      In response to legislation directing federal law enforcement agencies\nto identify and provide certain services to crime victims, the Department of\nJustice (DOJ) developed the Victim Notification System (VNS), a computer-\nbased system managed by DOJ\xe2\x80\x99s Executive Office for United States\nAttorneys (EOUSA). The VNS assists federal personnel in notifying victims of\nfederal crimes of events occurring in the investigation, prosecution, and\nincarceration phases of their cases and provides victims various methods to\naccess information regarding their cases. 13 The VNS came online in\nOctober 2001 and as of October 5, 2007, the VNS contained information on\n1,564,667 victims.\n\nEstablishment and Funding of the VNS\n\n       The Victim and Witness Protection Act of 1982, the Victims of Crime\nAct of 1984, the Crime Control Act of 1990, the Violent Crime Control and\nLaw Enforcement Act of 1994, the Justice for All Act of 2004, and the\nAttorney General\xe2\x80\x99s (AG) Guidelines for Victim and Witness Assistance\nestablished procedures to address the needs of victims of crime. 14 Each of\nthese contains a directive to ensure that victims are notified of significant\nstages and procedural developments in the criminal justice process.\nNotification means keeping victims aware of the status of an investigation of\na crime, as well as the subsequent prosecution, trial, incarceration, location,\nand custody status of the offender related to the crime.\n\n      On April 14, 1997, the Attorney General issued a memorandum that\ndirected EOUSA to implement a comprehensive automated victim\ninformation and notification system as soon as possible. The Attorney\nGeneral mandated that the system be available for use by investigative and\nprosecutorial components such as the Federal Bureau of Investigation (FBI),\nU.S. Attorneys\xe2\x80\x99 Offices (USAO), and the Federal Bureau of Prisons (BOP).\n\n\n\n\n       13\n          A victim is defined in the VNS as an individual upon whom a criminal act is\nperpetrated and who is directly and proximately harmed as a result of a crime that is\ncharged as a federal offense. Victims can decide to designate another person as their\nprimary (alternate) contact to receive notification. This alternate contact is someone who\ncan be reached in lieu of the victim, such as a friend, attorney, relative, or business\nassociate of the victim, who also has an interest in the case.\n       14\n            Additional information regarding this legislation can be found in Appendix II.\n\n\n\n                          REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\n      With funding provided by DOJ\xe2\x80\x99s Office for Victims of Crime (OVC),\nEOUSA managed the development of the VNS and actual field deployment\nbegan in early October 2001. The exhibit on the following page illustrates\nVNS\xe2\x80\x99s development and funding from fiscal year (FY) 1996 through FY 2007,\nhighlighting a spike in funding in FY 2000, and a slight decline in funding\nlevels since that time. Since work began on creating the system in FY 1998,\nthe VNS has cost a total of more than $38 million.\n\n      According to EOUSA officials, the VNS received significantly more\nfunding in FY 2000 than during any subsequent fiscal year to cover the initial\ndevelopment and implementation of the system. Officials stated that no\nfunding was provided for the VNS in FY 2001 because the funding provided\nduring the previous fiscal year had not been fully utilized. 15 Moreover,\naccording to OVC officials, several reasons account for the slight decline in\nfunding since FY 2004. Specifically: (1) the VNS is carrying forward the\nprior year\xe2\x80\x99s balance; and (2) funding for the Office of Justice Programs\n(OJP), of which the OVC is a part, has decreased.\n\n\n\n\n      15\n           Additional information regarding VNS funding is found in Appendix III.\n\n                                      2\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                                                                            REDACTED FOR PUBLIC RELEASE\n                                                       June 1998\n                        April 1997\n                                                  2-year Interagency\n                                                agreement between the\n                                                                                                    VNS DEVELOPMENTAL AND FUNDING TIMELINE\n                 The Attorney General\n                  directs EOUSA, FBI,\n                                               OVC and EOUSA making\n                                                 money from the Crime\n                                                                                                            FY 1996 THROUGH FY 2007\n                    JMD, and BOP to\n                                                Victim Fund available to\n                implement an automated\n                                                develop the notification\n                victim notification system.\n                                               system. Cost estimated at\n                                                        $8 million.\n                                                                             November\n                                                                                1999\n    November 1996                                                            Request for\n   DOJ working group                                                       Procurement for                        October 2001\n   meets to develop a                                                        the VNS is                                                                                            January 2006\n                                                                                                                      Field\n seamless system from                                                          issued.                                                                              The VIS goes    DOJ Criminal\n                                                                                                                  Deployment to\n  investigation through                                                                                                                                                online.        Division\n                                                                                                                  EOUSA, FBI,\n     incarceration.                                                                                                                                                                connects to the\n                                   September 1997                                                                   and BOP\n                                  BDM issues its report.                                                             begins.                                                           VNS.\n\n                                                                                                                                                    May 2004\n                                                                                                                                                 AT&T proposes\n                                                                                                                                                  creation of the\n                                                                                                                                                       VIS.\n                                                                                                                                                                                    FY 2006           FY 2007\n                                                                                                                                   FY 2003                           FY 2005        VNS RA 3          VNS RA 3\n                                         FY 1998            FY 1999                                                                                FY 2004           VNS RA 2      $5.3 million       $5 million\n FY 1996           FY 1997           VNS Reimbursable                                              FY 2001                         VNS RA 2\n                                                             VNS RA 1                                                                             VNS RA 2          $4.9 million\n   $0                $0              Agreement (RA) 1                                                $0            FY 2002        $5.1 million\n                                                             $193,765          FY 2000                                                           $5.1 million\n                                         $559,122                             VNS RA 1                             VNS RA 2                                                                           August 2007\n                                                                                                                   $5 million                                                       September\n                                                                           $7.2 million\n                                                                                                                                                                                       2006          MOA connecting\n                                                                                                                                                                                      AOUSC          U.S. Courts and\n                                                                                                                                                   July 2004                         approves          the VNS is\n                                                                                                                                                 USPIS connects                    connection of         signed.\n                                                                                                                  January 2002                    to the VNS.\n                                                                                                                      Field                                                        U.S. Courts to\n       June 1996\n                                                                                                                   deployment                                                        the VNS.\nExecutive Order directs                    Febuary 1998\n     DOJ to adopt a                    OVC conducts meeting                                                         concludes.\n                                                                               July 2000\n nationwide automated                  where EOUSA agrees\n                                                                             AT&T aw arded\n victim information and               to take a leadership role\n                                                                           contract to dev elop\n   notification system.                to develop the system.\n                                                                                the VNS.\n                                                                                                       May 2001\n                                                                                                  EOUSA, FBI, & BOP\n                                                                                                       enter into a                        JMD - Justice Management Division\n                           June 1997                                                               "VNS Operational                        VIS - Victim Information System\n               EOUSA hires contractor, BDM, to                                                    Memorandum," which                       USPIS - United States Postal Inspection Service\n               assess each agency\'s notification                                                  delineates roles and                     AOUSC - Administrative Office of the United States Courts\n                  practices and to assess the                                                        responsbilities.                      MOA - Memorandum of Agreement\n                compatibility of existing agency\n                      notifcation systems.\n\n\n\n\n                                                                                         3\n                                                                            REDACTED FOR PUBLIC RELEASE\n\x0c                          REDACTED FOR PUBLIC RELEASE\n\n\nHow the VNS Works\n\n       The VNS is a web-based application. The system hardware consists of\na server, located at the Justice Data Center in Rockville, Maryland, as well as\na Call Center facility and live back-up server in Louisville, Kentucky. The\nVNS receives data from automated case management systems at the FBI,\nUSAOs, the DOJ Criminal Division, the United States Postal Inspection\nService (USPIS), and the BOP. Specifically, the VNS receives daily\ndownloads from the FBI\xe2\x80\x99s Automated Case Support (ACS) system, the\nUSPIS\xe2\x80\x99s Inspection Service Integrated Information System (ISIIS), the\nUSAO\xe2\x80\x99s Legal Information Office Network System (LIONS), the DOJ Criminal\nDivision\xe2\x80\x99s Automated Case Tracking System II (ACTS II), and BOP\xe2\x80\x99s SENTRY\nsystem. Data transferred from the various systems includes case number;\nvictim, defendant, and inmate information; court events; and custody status\nupdates. Notably, some victim-related information that resides in the VNS\nis personally identifiable information (PII), such as the names, addresses,\nand, in some cases, social security numbers of victims of federal crimes.\n\n      Initially, the system consisted of the VNS, which federal VNS users\naccessed via a secure intranet connection, and the Call Center, which was\nused by both federal VNS users and victims of federal crimes. However, in\nFY 2004 the contract was modified to enhance VNS services by providing\nvictims with Internet access to their case information. This resulted in the\ndevelopment of the Victim Internet System (VIS), which allows victims to\nhave access to a subset of VNS data via the Internet. The VIS database\nserver, in which the users\xe2\x80\x99 encrypted information is stored, is also located at\nthe Justice Data Center.\n\n      Federal VNS users who specialize in dealing with victims and victim\nissues, such as FBI Victim Specialists and USAO Victim/Witness\nCoordinators, access the VNS to manage the information that relates to\ncases in the control of their agency. Victims of federal crimes utilize VNS\nservices to obtain information on their related cases. Specifically, victims in\nthe VNS are notified of case events by letter, e-mail, facsimile, or telephone\nwhen a particular event in a case occurs. 16 These victims can also obtain\ninformation at any time by calling the VNS Call Center or by accessing the\nVIS. The following graphic illustrates how the various component systems\nfeed into the VNS, as well as how victim users of the system obtain case-\nrelated information.\n\n\n\n\n      16\n           A list of all events that require notification is found in Appendix IV.\n\n                                       4\n                          REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\n                          INFORMATION FLOW IN THE VNS\n\n\n                                           CRIMINAL\n                                           DIVISION\n                                            ACTS II\n\n\n\n\n                                                                           The VIS\n\n\n\n\nSource: VNS User Manual and the DOJ Criminal Division\n\nVictim Notifications\n\n      In the VNS, a \xe2\x80\x9cnotification\xe2\x80\x9d is a communication from the federal\ngovernment to a victim, prompted by a particular event in the case. Events\nthat prompt a notification to victims are referred to as \xe2\x80\x9cnotifiable.\xe2\x80\x9d When\nsuch an event occurs in a case, the identified victim in that case is notified\nvia the VNS by a variety of means, such as letter, facsimile, e-mail, or\ntelephone. Only victims and their alternate contacts who are \xe2\x80\x9copted-in\xe2\x80\x9d to\nthe system can receive notifications. 17 In addition to notification, a victim in\nthe VNS can also obtain information on his or her case at any time by\ncontacting the VNS Call Center or by accessing the VIS, which provides\nvictims the capability to receive notifications, access information regarding\n\n       17\n           \xe2\x80\x9cOpt-in\xe2\x80\x9d is the status of a victim or contact allowing them to receive notification\nand access the VNS Inbound Phone Line and Internet web page. Throughout the report we\nalso refer to these victims as \xe2\x80\x9cactive\xe2\x80\x9d in the VNS.\n\n\n                                      5\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n\n\ntheir case, and update their personal contact information via the Internet. A\nvictim generally receives notifications regarding the three phases of the\nfederal criminal justice process: the investigative, prosecutorial, and\nincarceration phases.\n\n       Investigative Phase\n\n       The investigative phase consists of the time after a crime has been\ncommitted (or allegedly been committed) to the time a case has been\naccepted or declined by the USAO for prosecution. The FBI and the USPIS\nare the only federal law enforcement agencies that utilize the VNS to notify\nvictims of events that occur during the investigative phase of the criminal\njustice process. 18 The FBI and the USPIS provide limited investigative case\ninformation and detailed victim information through an export of data from\ntheir agency case management systems into the VNS. FBI and USPIS\npersonnel then use the VNS to create, approve, and generate seven different\nvictim notifications, such as an initial notification informing a victim that a\ncase is under investigation, informing victims of their rights under U.S. law,\nor notification that a case has been referred for state or local prosecution.\n\n       Prosecutorial Phase\n\n      The prosecutorial phase encompasses the time charges have been filed\nby the USAO to the time a defendant is sentenced. As with the FBI and the\nUSPIS, USAOs and the DOJ Criminal Division export information from their\nautomated case management systems into the VNS. This information\nincludes case data, as well as defendant, charge, and court event records,\nfrom cases that are either linked to previously loaded FBI or USPIS cases or\nare new USAO or Criminal Division cases investigated by agencies other than\nthe FBI or the USPIS. The USAOs and the DOJ Criminal Division have\n90 different notifications that relate to a defendant and contain case-specific\ninformation, such as the charges filed, trial dates, custody status, and\nsentencing information.\n\n       Incarceration Phase\n\n       The incarceration phase consists of the time a defendant is sentenced\nuntil the time a defendant is released from BOP custody. If a defendant is\nconvicted and then sentenced to serve time in a federal facility, he or she\nbecomes an inmate and is transferred to BOP custody. BOP notifications are\n\n       18\n           Other federal criminal justice agencies, such as the Bureau of Alcohol, Tobacco,\nFirearms and Explosives, and the United States Secret Service, provide investigative phase\nnotifications to victims without using the VNS.\n\n\n                                     6\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\ncreated when data is received from BOP\xe2\x80\x99s SENTRY system. BOP personnel\nthen use the VNS to create, approve, and generate 22 various types of\nnotifications to victims, such as information related to defendant release,\nescape, or death.\n\nVNS Oversight\n\n       In late 1999, the Deputy Director of EOUSA designated an Assistant\nUnited States Attorney (AUSA), located in Kansas City, Kansas, to assume\nprogram management responsibilities over the VNS. Since then, this project\nmanager has been detailed to work full-time on the VNS and has held this\nposition while physically remaining in the USAO in Kansas City. The project\nmanager reports to EOUSA through the Office of Legal Programs and Policy.\n\n      In addition to the VNS Project Manager, additional program\nmanagement responsibilities are to be carried out by various groups,\nincluding the VNS Executive Committee and the VNS Working Group. The\nVNS Executive Committee consists of senior-level management from EOUSA,\nthe DOJ Criminal Division, the FBI, the BOP, the OVC, and the USPIS. The\nExecutive Committee meets once a year to discuss financial issues, review\nsystem events from the previous year, and consider planned changes for the\nupcoming year. The VNS Working Group meets once a quarter and consists\nof representatives from EOUSA, the FBI, the DOJ Criminal Division, the BOP,\nand the USPIS. The purpose of the VNS Working Group is to review all\nproposed system changes and enhancements, implement its priorities, and\nprovide input on any issues with the daily operation of the VNS.\n\nOIG Audit Approach\n\n      The objectives of this audit were to determine if:\n\n      (1) EOUSA has effectively managed the VNS, including overseeing the\ncontractors, ensuring the accuracy of data in the system, and planning for\nthe future;\n\n      (2) The VNS is an effective tool for victims of crime; and\n\n     (3) The VNS is properly secured to prevent unauthorized use, access,\nand data modification.\n\n      To accomplish our audit objectives, we conducted more than\n50 interviews with officials from agencies that are directly involved with the\nVNS, including officials from EOUSA, the DOJ Criminal Division, the FBI, the\nBOP, the USPIS, and the OVC. We also spoke with headquarters officials\n\n                                 7\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\nfrom those agencies that do not directly participate in the VNS, such as the\nBureau of Alcohol, Tobacco, Firearms and Explosives (ATF); the Drug\nEnforcement Administration (DEA); the U.S. Marshals Service (USMS); the\nAdministrative Office of the U.S. Courts (AOUSC); Immigration and Customs\nEnforcement (ICE); and the U.S. Secret Service (USSS) to determine their\nknowledge of the VNS, whether they were contacted about directly\nparticipating in the VNS, and why they do not participate. Additionally, we\ninterviewed the contractor (AT&T Government Solutions), who manages the\nsystem, as well as the sub-contractor (Appriss), who manages the Call\nCenter/Help Desk and back-up servers. We also reviewed internal\ndocuments from EOUSA, the DOJ Criminal Division, the FBI, the BOP, the\nUSPIS, and the OVC. Those documents included planning materials,\ncontracts, manuals, internal directives and policies, and financial reports.\nMoreover, we obtained and analyzed empirical data from the VNS and used\nthis information to develop descriptive statistics on the number and types of\nvictims in the system.\n\n       We conducted fieldwork in Chicago and Lisle, Illinois; Lexington and\nLouisville, Kentucky; Kansas City and Leavenworth, Kansas; and Kansas\nCity, Missouri, where we interviewed 22 field personnel. At these locations\nwe spoke with senior management and staff who utilized the VNS at the\nlocal USAO, BOP, USPIS, and FBI offices, and reviewed reports and files\napplicable to our review. In addition, at the FBI, we interviewed special\nagents who work cases with multiple victims. In general, the scope of our\naudit covered the period from FY 1998 through FY 2007.\n\n      Related to our first objective, we performed a limited review of the\nservices provided by the contractor and sub-contractor, including Call Center\noperations; discussed the entry of information into the VNS with federal VNS\nusers; reviewed data in the VNS and spoke with federal VNS users to\ndetermine if information in the system was accurate; and interviewed\nnon-participating agencies to determine if outreach was performed and if the\nagencies were interested in participating directly with the VNS. Regarding\nour second objective to determine if the VNS is an effective tool for victims,\nwe designed and deployed two surveys: one to victims who were active in\nthe system and another to victims who were no longer active in the\nsystem. 19 We selected stratified, statistical samples of victims located\nthroughout the world, to whom we sent the surveys. 20 We also reviewed\nother surveys conducted by EOUSA and BOP as well as conducted our own\n\n       19\n            Copies of both of our surveys can be found in Appendices V and VI.\n       20\n            Details of the surveys\xe2\x80\x99 scope and methodology can be found in Appendices VII\nand VIII.\n\n\n                                      8\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\ntesting of the VIS through use of a test victim account. In order to\naccomplish our third objective, we utilized a private auditing firm with\nexperience in conducting information technology audits to perform an\ninformation security review of the VNS.\n\n      The results of our review are detailed in the Findings and\nRecommendations section of this report. Finding I discusses EOUSA\xe2\x80\x99s\nmanagement of the VNS. Finding II reviews the VNS\xe2\x80\x99s effectiveness for\nfederal VNS users and victims of crime. Finding III concentrates on the\ninformation security review portion of the audit. The audit scope and\nmethodology are presented in Appendix I. Additional details on our review\ncan be found in Appendices II through XI.\n\n\n\n\n                                 9\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\n                  FINDINGS AND RECOMMENDATIONS\n\n       I.     EOUSA MANAGEMENT OF THE VNS\n\n       We determined that government VNS users were generally\n       satisfied with the work of the contractor and sub-contractor.\n       However, EOUSA has not proactively assessed the accuracy of\n       data within the VNS and a significant percentage of victim\n       notifications are returned due to incorrect address information.\n       For example, in our attempt to contact over 2,700 victims via\n       mail, the correspondence that we sent to approximately\n       18 percent of these individuals was returned as undeliverable.\n       Further, because data in the VNS has never been archived,\n       storage space on the VNS server has been filled to almost\n       80 percent of its capacity, affecting both data access speed and\n       performance of the system. While EOUSA has articulated its\n       intent to resolve this issue, no schedule or written plans for\n       doing so have been established. EOUSA needs to address other\n       matters related to the future of the VNS, including following\n       through on its plans to add additional government participants\n       and establishing a succession plan for key program officials.\n\nThe VNS Contract\n\n      In FY 2000, EOUSA entered into a contract with AT&T to create the\nVNS. In addition to creating the actual information technology hardware and\nsoftware for data entry and reporting, the contractor was required to\nestablish and staff a Call Center to assist government and victim users of the\nVNS. It did so by sub-contracting with Appriss, Incorporated, to run and\nmaintain the VNS Call Center. AT&T was also to supply training, Help Desk\nsupport, and system maintenance and enhancements. Once the system was\ndeveloped, field deployment of the VNS began in October 2001. The VNS\nwas fully operational by January 2002.\n\n      The VNS has a firm fixed-price contract, which was originally set to\nexpire in September 2007, but which has been extended for 6 months. 21\n\n\n       21\n          The Federal Acquisition Regulation (FAR) System Subpart 16.202-1 states that a\nfirm fixed-price contract provides for a price that is not subject to any adjustment based on\nthe contractor\xe2\x80\x99s cost experience in performing the contract. This contract type places upon\nthe contractor maximum risk and full responsibility for all costs and resulting profit or loss.\nIt provides maximum incentive for the contractor to control costs and perform effectively\nand imposes a minimum administrative burden upon the contracting parties.\n\n\n                                     10\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\nThe annual cost to maintain the system is approximately $3.6 million. The\nprimary VNS server is located at the Justice Data Center in Rockville,\nMaryland, with a mirrored back-up system located at the VNS Call Center in\nLouisville, Kentucky.\n\n      We reviewed the VNS contract and spoke with numerous federal VNS\nusers to find out if they were satisfied with the system and the Call Center.\n\nSatisfaction with Contractor Performance\n\n        To evaluate the performance of AT&T and Appriss in terms of contract\nfulfillment and services provided to federal VNS users, we conducted\ninterviews with personnel at VNS-participating agencies. We also reviewed\nthe results of an FY 2003 BOP survey of its employees who utilized the VNS.\n\n      The federal VNS users we interviewed stated that they were not aware\nof any problems that occurred with the administration or fulfillment of the\nVNS contract. They also said that contracting personnel were very\nresponsive to users\xe2\x80\x99 requests. Federal VNS users also expressed satisfaction\nwith the working relationship they had with the contractors.\n\nThe VNS Call Center\n\n        We determined that access to the Call Center is limited to DOJ-cleared\nstaff and meets all the facility security requirements as described in the VNS\ncontract. We toured the Call Center and spoke with the contractors and the\nsub-contracted personnel who worked there. The physical security of the\nfacility generally appeared to be adequate to prevent access by unauthorized\npersonnel.\n\n      According to the VNS operations manual, the primary purpose of the\nCall Center is to support: (1) victims by ensuring that information is\ncaptured and updated in the VNS and appropriate notifications are sent in an\nexpeditious manner; (2) government agencies by providing system help and\nensuring that information is transferred from external systems correctly; and\n(3) data and system integrity through the application of security, backup,\nand recovery processes. In addition to its duties as a Help Desk, Call Center\nemployees assist federal VNS users with importing data for large cases that\ninvolve 300 or more victims.\n\n    To fulfill its mission, the Call Center maintains a toll-free telephone\nnumber that victims can call to obtain case information from either an\n\n\n\n                                  11\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n\n\nautomated system or by speaking with Call Center staff. 22 As indicated in\nthe chart below, data provided by the Call Center show 78,850 calls were\nplaced in FY 2005. The number of calls decreased in FY 2006 to 63,959. Of\nthese totals, 11,391 and 13,988 calls in FYs 2005 and 2006, respectively,\nrequired staff assistance from Call Center personnel.\n\n                             Calls to the VNS Call Center\n                                                 FY 2005               FY 2006\n            Inbound                                66,748                49,408\n            Operator                                8,019                10,023\n            Help Desk                               3,372                 3,965\n            Abandoned Calls 23                        711                   563\n                      Total Calls                 78,850                63,959\n\n       Additional Suggested Tasks for Call Center\n\n      According to BOP survey respondents and other government personnel\nwe interviewed, they utilize the VNS Call Center for administrative purposes,\nas well as to address technical and access problems and to perform\ntroubleshooting. The survey respondents generally had a positive opinion of\nthe services provided by the Call Center, commenting that Call Center staff\nmembers were helpful, quick to respond, and open to suggestions for\nimprovement. BOP officials did, however, state that they would like the VNS\nCall Center to notify victims of an escapee when the event occurs during\nBOP non-business hours, because the Call Center is open most of the time. 24\n\n      Call Center personnel also commented that the automated ticketing\nsystem \xe2\x80\x93 called Tracker \xe2\x80\x93 for logging all calls they receive could be\nimproved. Tracker is an internal database that is used by Call Center\npersonnel to track calls from victims and federal VNS users, as well as to\nprovide the VNS Project Manager with weekly reports on the status of Help\nDesk activity and system-related matters. However, the Call Center staff\nhas to manually add specific information, such as callers\xe2\x80\x99 names, contact\n\n       22\n           \xe2\x80\x9cInbound\xe2\x80\x9d calls are calls to the automated toll-free number for which no live\nassistance was provided. \xe2\x80\x9cOperator\xe2\x80\x9d calls are from victims who dialed the toll-free number\nand selected "0" to speak with an operator. \xe2\x80\x9cHelp Desk\xe2\x80\x9d calls are from personnel at VNS-\nparticipating agencies for application support.\n       23\n           \xe2\x80\x9cAbandoned Calls\xe2\x80\x9d are instances where a caller hung up before completing the call\nor talking to a Call Center operator.\n       24\n         The VNS Call Center is operational Monday through Friday, from 7:00 a.m. to\n2:00 a.m.; Saturday from 7:00 a.m. to 12:00 a.m.; and Sunday 10:00 a.m. to 12:00 a.m.\n\n\n                                    12\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\ninformation, and a summary of the problem. According to the VNS Project\nManager, Tracker is functional for VNS purposes, but it is not a good\ninterface for the Help Desk staff. Because the Call Center staff must\nmanually create the ticket, it is very difficult to determine if all calls and\nissues are recorded and tracked.\n\n        The Call Center Manager explained that the Tracker system is\nrudimentary because all tracking activities have to be performed manually\nand the system cannot be easily searched. For example, in order to go back\nand check for specific information, a staff member has to review the entire\nlist of calls, rather than zeroing in on a particular timeframe. Additionally,\nalthough a newer version of the Tracker software is available, Call Center\nemployees said they are still using the original version.\n\n      Regarding a newer version of Tracker, during the audit a VNS official\ntold us that Tracker is part of the record used by the contractor to provide\nweekly reports on the status of Help Desk activity and system-related\nmatters. The VNS Project Manager stated that Tracker is an older system\nand is not as user-friendly to operate as are newer programs, but that it was\nbeing used due to a software compatibility issue. The VNS Project Manager\nalso advised that the newest version of the Tracker software, called Front\nRange, will be installed during 2007.\n\n      We believe that upgrading Tracker to Front Range will help improve\nthe quality of the contracted services provided, thus leading to an\nimprovement in the service the VNS provides to victims. The ability to more\neasily analyze the content of user calls should allow EOUSA to identify and\naddress existing problems that large numbers of victims might be having\nwith the system, as well as allow EOUSA to forestall issues that may be in\nthe developmental stage. However, the creation of the Tracker ticket should\nhave some mechanism to ensure that tickets are created and that this task\ndoes not need to be performed manually.\n\n      In August 2007, an EOUSA official advised us that as of July 5, 2007,\nTracker\xe2\x80\x99s upgrade to Front Range, which has greater report-tracking\ncapability than Tracker, was complete. Moreover, EOUSA stated that it plans\nto implement Front Range\xe2\x80\x99s feature to automatically e-mail a caller upon the\nclosing of a ticket. Additionally, a brief survey will accompany the e-mail to\naddress any Call Center service problems experienced during operator\nassistance.\n\n     EOUSA\xe2\x80\x99s upgrade to Front Range demonstrates its willingness to follow\nthrough on its plans to improve the VNS. We believe it is important for the\n\n\n                                 13\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\nagency to implement these plans for establishing the Front Range feature\nthat will automatically e-mail a caller upon closure of a ticket.\n\nAccuracy of VNS Information\n\n       In addition to ensuring that the terms of the VNS contract are fulfilled,\nEOUSA is also responsible for the content of the VNS. Victim information\ngoes into the VNS when one of the various participating agencies enters the\ndata in their own information systems and the data is uploaded to the VNS.\nAfter the initial victim record is created in the VNS through the upload\nprocess, any participating agency can enter additional information related to\nits cases directly into the VNS. Federal VNS users also have the option to\nremove a person from a case if that person is deemed to no longer be a\nvictim.\n\n      According to the VNS Manual, when victims are added to the VNS from\nan agency information system, they are automatically associated with an\ninvestigative case, which, in turn, may be associated with one or many court\ncases. Victim records are thus automatically linked to all court cases\nassociated with an investigative case, and if an event occurs for any\nassociated case or defendant, each victim should be notified. However,\nfederal VNS users can, when necessary, break the link between a victim and\na specific court case or defendant if a victim is found not to be associated\nwith that particular case or defendant.\n\n       The USAOs are responsible for creating all VNS records associated with\nagencies that do not participate in the VNS. For all non-participating\ninvestigative agencies, the USAO prosecuting the case creates the case and\nenters victim information into LIONS, the USAO case management system.\nVictim-related information is then uploaded electronically from LIONS to the\nVNS. However, in some cases with large numbers of victims, USAOs (as well as\nall other VNS-participating agencies) may enlist assistance from the VNS Call\nCenter staff to create victim records in the VNS.\n\n      We interviewed federal VNS users to obtain feedback about the\naccuracy of VNS data. In addition, we assessed the controls and procedures\nin place to ensure the accuracy of information in the VNS.\n\nVNS User Feedback\n\n     We asked users of the VNS at the FBI, the USPIS, the BOP, the\nDOJ Criminal Division, and USAOs about the accuracy of the data in the\nsystem. In general, users at these components considered VNS data to be\naccurate. However, a VNS Call Center analyst questioned the accuracy of\n\n                                 14\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n\n\ndata related to court events. Specifically, problems occur when inaccurate\ncourt schedule information is entered into LIONS and is subsequently\ntransferred to the VNS. In addition, BOP staff said that incomplete and\ninaccurate data is found in the information retained in the VNS. Additionally,\nresponses to the 2003 BOP employee survey included negative comments\nabout the accuracy of data in the system, a desire to have victim addresses\nupdated, and claims that some data entered into the VNS by the FBI and\nUSAOs was inaccurate or incomplete.\n\nUndeliverable Correspondence\n\n      One measure of VNS data accuracy is the rate at which VNS\ncorrespondence is returned as undeliverable \xe2\x80\x93 that is, when the contact\ninformation for a victim is inadequate. We discussed with federal VNS users\nundeliverable mail and e-mail, along with policies and procedures for\nupdating information in the VNS.\n\n       Interviews with most federal VNS users verified that there were no\npolicies or procedures in place that required them to update victim contact\ninformation in the VNS when letters were returned. A BOP official stated\nthat all returned notifications were forwarded to the USAO. At one USAO,\nwe noticed a large number of notification letters sitting on the floor piled in\nbins. When we asked a Victim/Witness staff person about it, she stated that\nthe letters had been returned because of inaccurate addresses and one of\nher responsibilities was to attempt to locate updated contact information.\n\n      USAO and EOUSA representatives stated that employees regularly use\nonline databases to search for people by former addresses and social\nsecurity numbers. They said that if a different address is located, the victim\nrecord is updated in the VNS. When a USAO receives undeliverable mail in\nlarge victim cases, the USAOs bundle the undeliverable envelopes and send\nthem to the Call Center. The Call Center, in turn, modifies the victim\nrecords in the VNS to identify them as \xe2\x80\x9copted-out\xe2\x80\x9d of the system, and then\nshreds the letters. According to the VNS Project Manager, this is done\nbecause the VNS lacks the resources to perform follow-up in such instances.\n\n       We also experienced problems with undeliverable correspondence in\nthe course of conducting our victim surveys. When we attempted to contact\n2,762 victims who were considered to be active in the VNS, 498 of our\nletters (18 percent) were returned as undeliverable. 25 The fact that\n\n       25\n           Our attempt to contact victims in the VNS was performed as part of a survey\nrelated to victim satisfaction with the VNS. The results of our survey are conveyed in\nFinding II. The complete scope and methodology of this survey is contained in\nAppendix VII.\n\n                                    15\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\n18 percent of the \xe2\x80\x9cactive\xe2\x80\x9d victim records in our sample contained invalid\naddresses indicates that a significant number of victims may not be receiving\nnotifications of case events.\n\n      We asked EOUSA officials what steps were taken for e-mails that were\nundeliverable. EOUSA acknowledged that returned e-mail notifications were\na problem and that the problem was increasing in significance as the use of\ne-mail notification was rising. The VNS Project Manager further commented\nthat EOUSA was in the process of establishing a protocol for identifying and\ngetting information about undeliverable e-mail to federal VNS users for\naction.\n\n      In June 2007, EOUSA officials acknowledged to us that there was a\nproblem with undeliverable correspondence, but noted their belief that it is\nthe victim\xe2\x80\x99s responsibility to keep contact information up-to-date. Victims\ncan update their information by various methods, such as via the VNS\nwebsite or by contacting the USAO Victim-Witness Coordinator responsible\nfor their case. According to the VNS Project Manager, federal VNS users are\ntrained to make reasonable best efforts to find correct mailing addresses\nwhen correspondence is returned as undeliverable.\n\n      In response to our discussions with them on this issue, in August 2007\nEOUSA officials informed us that they are researching approaches to\nimplement a nation-wide procedure regarding undeliverable correspondence.\nThe officials noted that this concern has become a higher priority for EOUSA\nand that this new procedure may be included in the next VNS contract.\n\nVNS Procedures and System Controls\n\n      According to the VNS Project Manager, the accuracy of information in\nthe VNS is largely dependent upon what was provided or entered originally\nby the participating agency. He added that there was no process for\nroutinely checking the accuracy of victim files in the VNS and testing for\naccuracy of VNS data has not been performed. The FBI, the USPIS, and the\nBOP also have not tested the accuracy of the VNS data they entered.\n\n       An address is not required to enter a victim into the VNS. Rather, in\norder to add a victim to the VNS, the only required fields that must be\nentered are the victim\xe2\x80\x99s first name and last name or the victim\xe2\x80\x99s prefix and\nlast name. However, in order for the victim to be sent an initial notification\nletter, there must be an address listed for the victim. If there is no address\nfor the victim in the VNS when a letter is selected as a method of\nnotification, the "initial" notification is left in a "pending" state and the victim\nwill not be sent the initial notification letter until an address for that victim is\n\n                                  16\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\nadded to the VNS. When an initial notification is stopped for lack of a\nmailing address, the VNS alerts the responsible federal VNS user that a\nnecessary notification was not sent due to the missing information. The VNS\nManual directs federal VNS users to address these alerts. While the system\ndoes not have a control to ensure that federal VNS users respond to these\nalerts or confirm that the notifications are ultimately sent, it does leave the\nnotification in a pending state to alert the user the notification has not been\nsent.\n\n      In sum, there are few internal controls to ensure the accuracy and\ncompleteness of information in the VNS. This means that victims whose\ncontact information in the VNS is incorrect could be missing the opportunity\nto attend court events or be updated on defendant status. Although EOUSA\nbelieves it is the victim\xe2\x80\x99s responsibility to update all contact information, in\nour judgment, it is also EOUSA\xe2\x80\x99s responsibility to ensure that victim records\nin the VNS are as accurate as possible. We believe that EOUSA should work\nwith other VNS-participating agencies to develop procedures for ensuring\nvictim contact information is current and undeliverable correspondence is\npursued to help ensure victims receive case-related notifications from the\nVNS.\n\n      In response to the concerns we raised, EOUSA officials explained that\nfederal VNS users have the ability to generate a number of reports that\nallow for review of the data entered. At this time, the VNS does not\nautomatically validate the mailing addresses of victims. EOUSA has\nreviewed the use of such automation and concluded that, at this time, such\na process would require significant resources.\n\nThe Future of the VNS\n\n      In addition to reviewing the current status of information in the VNS,\nwe also inquired about EOUSA\xe2\x80\x99s future plans for the VNS. We examined the\nVNS contract, which was initiated on August 1, 2000, and runs through\nSeptember 30, 2007. The contract includes a clause allowing for a 6-month\nextension of services. According to the VNS Project Manager, the DOJ\nJustice Management Division (JMD) is responsible for procurement actions\nrelated to the VNS contract. JMD invoked the 6-month extension contract\nprovision in June 2007 and EOUSA officials told us that they have provided\nnecessary information to JMD for the next VNS contract.\n\n      We also examined EOUSA\xe2\x80\x99s long-term plans for the system, including\nthe archiving of older data, replacing system hardware, outreach to\nadditional federal agencies, and succession planning for management of the\nsystem.\n\n                                 17\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nArchiving and Storing VNS Data\n\n       The VNS contract states that the contractor will archive VNS data\nperiodically. However, EOUSA and contract officials confirmed that VNS\nhistorical records have never been archived and they have no immediate\nplans to do so.\n\n       Contract employees, as well as EOUSA officials with whom we spoke,\nstated that all data entered into the VNS since it went online in\nOctober 2001 has been retained. According to contract employees,\nhowever, storage space on the server is an issue and the system needs to\nbe upgraded for storage space. In its FY 2007 budget request, EOUSA\nconfirmed that storage space in the system was an emerging issue.\nSpecifically, the increased number of victims and notifications was pushing\nthe current system to its physical capacity and this had limited the speed at\nwhich data could be accessed and become a bottleneck in the system. At\nthe time of the budget request, the storage array as configured had 126 of\nits original 626 gigabytes of storage space remaining, meaning that the\nsystem was almost 80 percent full. This also meant that there was little\nroom for future expansion for increasing data needs, and that the 6-year old\ntechnology used by the system is a bottleneck that limits data access speed.\n\n       In examining EOUSA\xe2\x80\x99s plans for archiving data, we also identified a\nconcern with the established archiving criteria. The VNS contract states that\nrecords should be archived 36 months after a defendant is released from\nconfinement. We asked EOUSA to provide a query to determine how many\ninmates in the VNS had been released prior to April 30, 2004, and we were\ntold the VNS cannot readily obtain that information because it does not have\na "released by BOP" field to make that determination. However, release of\nan inmate (such as permanent release, release to a halfway house or on\nfurlough) are notifiable events.\n\n      In response to our discussions with EOUSA regarding our concern with\nVNS data never having been archived, in August 2007 EOUSA officials\ninformed us that they plan to replace the existing equipment with new\nequipment in the near future. According to EOUSA officials, this will resolve\nthe capacity issue and the need to archive or remove data from being\naccessible online.\n\nSystem Hardware\n\n     In addition to issues related to archiving data, one staff person from\nthe VNS Call Center expressed concern that VNS hardware is becoming\noutdated. We reviewed documentation related to this matter and found that\n\n                                18\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nEOUSA\xe2\x80\x99s FY 2007 budget request stated that most of the equipment was\n6-years old and coming to the end of its useful life span. A partial\nreplacement of equipment was funded in FY 2006. However, more\nequipment needs to be replaced. The remaining equipment still in need of\nreplacement includes the data storage system and the database servers.\nThe replacement equipment and labor cost was projected at $700,000.\n\nEOUSA Outreach to Other Agencies\n\n       Historically, EOUSA has coordinated with certain federal agencies to\nparticipate and use the VNS in carrying out their responsibilities to notify\nvictims of case events. We examined these efforts as well as EOUSA\xe2\x80\x99s\ncurrent efforts or plans to add new participating agencies.\n\n      At its inception, the VNS included the USAOs, the FBI, and the BOP.\nSince that time, the VNS has added two new agencies: the USPIS in\nFY 2004 and the DOJ Criminal Division in FY 2006. According to EOUSA, it is\nvery expensive to modify the VNS by adding other investigative agencies\xe2\x80\x99\nvarious case management systems. For that reason, EOUSA stated that it is\nnot economically feasible to include all other agencies in the VNS because\nmost investigative agencies have too few victims associated with their cases.\nAccordingly, EOUSA has focused its outreach efforts on agencies that have\nthe most victims associated with their cases, such as the USPIS.\n\n     As of October 5, 2007, the FBI and USPIS were responsible for\n1.2 million (79 percent) of the victims in the VNS. The number of victims,\nby agency, is shown in the following chart.\n\n\n\n\n                                19\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                            REDACTED FOR PUBLIC RELEASE\n\n  900,000\n\n               815,993\n  800,000\n\n\n                                                                       VICTIMS IN THE VNS\n  700,000\n                                                                   BY INVESTIGATIVE AGENCY\n                                                                      (as of October 5, 2007)\n  600,000\n\n                                                                     1,564,667 Total Victims\n  500,000\n\n                         421,184\n  400,000\n\n\n\n  300,000\n\n\n\n  200,000\n\n\n                                                                                                          102,452\n  100,000                             79,811\n                                                     57,587\n                                                                      30,862   29,261      27,517\n      -\n                 FBI      USPIS    Secret Service   All Internal       BOP       FDA    All Other Labor   All Other\n                                                     Revenue\n\n                                     Source: OIG analysis of VNS data\n\n\n       Although not all investigative agencies participate in the VNS, all are\nmandated by statute to provide victims with information during the\ninvestigative phase. 26 We interviewed officials from several agencies that do\nnot participate in the VNS: the Bureau of Alcohol, Tobacco, Firearms and\nExplosives (ATF); the Drug Enforcement Administration (DEA); the United\nStates Marshals Service (USMS); the Department of Homeland Security\xe2\x80\x99s\nBureau of Immigration and Customs Enforcement (ICE), and the United\nStates Secret Service (USSS). According to representatives with whom we\nspoke from most of these non-participating agencies, they utilize their own\nresources to provide various forms of victim notification services similar to\nthe type that the VNS was created to handle. We asked these agencies\nabout their interest in the VNS and any contact they had with EOUSA\nofficials about the system.\n\n\n\n\n          26\n         Once these cases are forwarded to a USAO for prosecution, the notifications\nbecome the responsibility of the USAO and are then processed through the VNS.\n\n                                        20\n                            REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n     \xe2\x80\xa2     DEA officials stated that EOUSA approached the DEA when the\n           VNS was first created, but the DEA declined to participate\n           because the agency was worried about manpower, and issues\n           related to system interface and security.\n\n     \xe2\x80\xa2     An ATF official said that ATF special agents were interested in\n           using the VNS, and he had requested information about the\n           system from the VNS Project Manager. However, he stated that\n           he did not receive a response to his inquiry and therefore the\n           ATF had not had the opportunity to evaluate the benefits of\n           using the VNS.\n\n     \xe2\x80\xa2     USMS headquarters officials told us that EOUSA had not\n           contacted the agency about participating in the VNS.\n\n     \xe2\x80\xa2     The USSS does not have its own, or access to, any automated\n           system to use for victim notification, and the USSS had never\n           been contacted about joining the VNS. According to the USSS\n           National Victim Coordinator, this is a concern because USSS\n           cases are continually involving more victims. Therefore, the\n           USSS official believed that joining the VNS was something that\n           could be very helpful.\n\n     \xe2\x80\xa2     The ICE official we interviewed stated that ICE had never been\n           contacted about participating in the VNS and had no interest in\n           doing so.\n\n      According to EOUSA officials, the agency is planning to create a\nuniversal interface that will allow all agencies with victim notification\nresponsibilities to utilize the VNS through a web-based portal. According to\nEOUSA officials, creating this interface would eliminate the high cost of\ncustomized connections and the need for prioritizing outreach efforts. We\nagree with this plan and believe that it would eliminate the necessity for\ngovernment agencies to duplicate the infrastructure for victim notification\nresponsibilities.\n\n\n\n\n                                21\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n\n\n      Outreach for Court Event Data\n\n      The Administrative Office of the U.S. Courts (AOUSC) does not\ncurrently participate in the VNS, but EOUSA plans to connect the AOUSC\xe2\x80\x99s\nautomated case management system to the VNS. 27 The purpose of adding\nthe AOUSC to the VNS is to link public, court-docketed events directly with\nthe VNS. This would eliminate the current need for USAO personnel\nmanually to enter this information into LIONS so that it can be uploaded to\nthe VNS. This manual process is time-consuming, increases the opportunity\nfor human error, and increases the chances that court event information in\nthe VNS may be incorrect, untimely, or never provided to the victim.\n\n      The proposal to connect the AOUSC to the VNS was approved by the\nAOUSC\xe2\x80\x99s Judicial Conference on September 19, 2006, pending funding to be\nprovided by EOUSA. As of June 2007, EOUSA officials informed us that a\ndraft Memorandum of Agreement (MOA) between EOUSA and the AOUSC for\nelectronic VNS participation had been prepared and EOUSA was working on\nacquiring funding to develop the necessary interface. The estimated start-\nup cost for this endeavor was $800,000, and while EOUSA requested the\nnecessary funding from the OVC, it did not receive sufficient funding in\nFY 2007\xe2\x80\x99s allocation to fund the AOUSC data changes. Therefore, EOUSA\nused its own appropriated funding to pay for the changes. The final step is\nfor the AOUSC to develop software to extract its data to be sent to the VNS.\nThe AOUSC estimates that developing this software will not be complicated\nand will cost $31,854. In August 2007 EOUSA officials provided us with a\ncopy of the signed MOA between EOUSA and the AOUSC and noted that both\nagencies are working together to make necessary changes to the VNS for\nthe connection.\n\n       Although the proposal has been endorsed by the AOUSC, it only\naddresses the development of the interface. According to EOUSA officials,\nthey also will have to obtain approval from the Chief Judge in each judicial\ndistrict to include court event information from that district in the VNS. Only\nthen will all court event information flow directly from the AOUSC to the\nVNS. We believe that once the MOA is finalized and the interface is\ndeveloped, EOUSA should work with the AOUSC to pursue the necessary\n\n\n      27\n           The AOUSC is responsible for working with government agencies to coordinate\nand implement new legislation and procedures and to develop and support automated\nsystems and technologies used throughout the courts. The AOUSC manages the federal\ncourts\' case management and electronic case files system, which provides the courts with\nenhanced and updated docket management; allows the courts to maintain case documents\nin electronic form; and gives each court the option of permitting case documents such as\npleadings, motions, and petitions to be filed with the court over the Internet.\n\n                                   22\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\napprovals from the Chief Judges so that all USAOs can benefit from the\nelectronic sharing of court docket information.\n\nVNS Project Management and Succession Planning\n\n       The VNS is managed by a single Project Manager. According to EOUSA\nofficials, there are no formalized succession or contingency plans to continue\nthe management of the VNS at the headquarters level should anything\nhappen to key personnel. EOUSA\xe2\x80\x99s senior management informally discussed\nwith us a contingency plan that could be implemented if the VNS Project\nManager left. Yet, although it appears that EOUSA has considered how\nmanagement of the VNS would proceed in the absence of the Project\nManager, no formalized plan of action has been created. The amount of\ndecision-making authority and system knowledge concentrated in the\nposition makes the VNS Project Manager a critical person with responsibility\nfor the VNS\xe2\x80\x99s uninterrupted day-to-day operations. We believe the\nimportance of the service the VNS provides to millions of victims warrants a\nmore concrete plan for the future. Thus, we believe it is important that\nEOUSA develop a formalized plan that could be implemented in the case of\nthe current Project Manager\xe2\x80\x99s departure.\n\n       In addition, EOUSA does not have a formalized list of the future needs\nof the VNS, including enhancements to the system, upgrades to the system,\nreplacement of outdated equipment, or growth of the system to meet the\nneeds of federal VNS users and victims. At the beginning of the audit,\nEOUSA provided us with a list of future engineering changes, and since that\ntime, we have been provided a current list of engineering changes for the\nVNS. Other than the engineering changes, however, EOUSA does not have\nany formalized long-term plans for the VNS. When we spoke with EOUSA\nofficials about this in June 2007, they explained that all future plans for the\nVNS are limited to the short-term because of the upcoming expiration of the\ncontract on September 30, 2007. However, in August 2007 EOUSA officials\nadvised us that it has been developing a succession plan that will address\nany contingency issues.\n\nConclusion\n\n      We reviewed several aspects of VNS operations to evaluate EOUSA\xe2\x80\x99s\nmanagement of the system. We found that federal VNS users were\ngenerally satisfied with the services being provided by the contractor and\nsub-contractor, and these users, on the whole, found the VNS Call Center to\nbe helpful. However, we determined that limitations in the software used to\ntrack calls to the VNS Call Center prevented EOUSA from conducting detailed\nanalyses of suggestions for improving the VNS. While EOUSA has stated\n\n                                 23\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nthat it has addressed this issue with a software upgrade, we believe it is\nimportant for the agency to implement all of its planned enhancements.\n\n      We also found that there are few internal controls to ensure the\naccuracy and completeness of information in the VNS. Most importantly,\nthis means that victims whose contact information in the VNS is incorrect or\nunavailable could be missing the opportunity to attend court events or be\nupdated on defendant status. We attempted to contact over 2,700 victims\nas part of a victim survey, and in 18 percent of these instances, our\ncorrespondence was returned as undeliverable.\n\n      Further, VNS data, which dates back to October 2001, has never been\narchived and storage space on the VNS server has been filled to almost\n80 percent of its capacity, a situation that has affected both data access\nspeed and performance of the system. Also, although EOUSA has informed\nus that instead of archiving VNS data, it plans to expand the capacity of the\nsystem to alleviate the need for archiving, EOUSA has not yet established a\nformalized schedule or plan for doing so.\n\n      In addition, EOUSA has performed outreach to a limited number of\nfederal agencies, selecting those agencies that have the most victims to\nkeep informed, such as the USPIS. EOUSA is in the process of developing a\nuniversal interface that would allow all federal investigative agencies to\nupload victim information directly to the VNS. EOUSA is also currently in the\nprocess of establishing a connection between the AOUSC and the VNS, which\nwould allow court information to flow directly to the VNS, thus improving the\naccuracy of court-related data and reducing the amount of manual labor\nrequired.\n\n      Finally, there are no formalized succession or contingency plans in\nplace to ensure continuity of the VNS if the Project Manager who directs the\nVNS leaves his position.\n\nRecommendations\n\nWe recommend that EOUSA:\n\n      1.    Develop a written plan to: (1) archive VNS data, which should\n            include a schedule for the initial archiving, parameters for\n            subsequent archiving, and the criteria it will utilize to determine\n            the records ready for archiving; or (2) acquire new equipment\n            that will resolve the capacity issue.\n\n\n\n                                24\n                    REDACTED FOR PUBLIC RELEASE\n\x0c             REDACTED FOR PUBLIC RELEASE\n\n\n2.   Ensure that it is utilizing the newer version of the Tracker\n     software, called Front Range, to allow for a more user-friendly\n     data extraction and reporting function. Further, ensure that\n     Front Range\xe2\x80\x99s feature that automatically e-mails the caller upon\n     the closing of a ticket has been enabled and is being utilized to\n     the fullest extent.\n\n3.   Develop a universal interface for federal investigative agencies to\n     upload data directly to the VNS.\n\n4.   Work with the AOUSC to develop the hardware to connect the\n     VNS and the AOUSC, develop a plan to connect individual federal\n     court districts to the VNS using this interface, and endeavor to\n     ensure that all federal districts are connected to the VNS.\n\n5.   Work with VNS-participating agencies to develop and implement\n     procedures for federal VNS users to ensure that victims\xe2\x80\x99 contact\n     information is current and updated.\n\n6.   Develop long-range plans for the VNS and its management that\n     include: (1) future software and hardware upgrades,\n     (2) replacement of outdated equipment, (3) expansion of VNS\n     server storage capacity, (4) a projection of enhancements\n     needed to account for the future needs of government and\n     victim users, and (5) a formal succession plan for VNS project\n     management.\n\n7.   Work with VNS-participating agencies to develop and implement\n     a nationwide procedure for addressing undeliverable\n     correspondence and e-mail.\n\n\n\n\n                         25\n             REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nII. THE VNS\xe2\x80\x99s EFFECTIVENESS FOR VICTIMS\n\n      Overall, the victims who responded to our survey were\n      generally satisfied with the VNS and indicated that they\n      felt VNS notifications were useful and easy to understand.\n      However, our survey identified areas where improvements\n      in the VNS could be made. Most notably, 25 percent of\n      our survey respondents indicated that they had not heard\n      of the VNS prior to receiving our survey, had never\n      received a notification, or were not aware that they were\n      registered as victims in the VNS. Further, although EOUSA\n      encourages victims to obtain case information through the\n      VNS website, only a small percentage of our respondents\n      actually utilized it. Accessing the VNS website can be\n      confusing and some victims find it difficult to navigate.\n      Moreover, a large number of victims who responded to our\n      survey were dissatisfied with the amount of information\n      available to them regarding restitution and believe that\n      knowing the custody status of offenders is important. We\n      also determined that government VNS users can change a\n      victim\xe2\x80\x99s VNS participation status from active to inactive\n      without recording a reason for doing so, and without\n      notifying the victim. We identified a significant number of\n      victims who have been opted-out of the VNS with no\n      reason recorded.\n\nBackground\n\n      To assess the VNS\xe2\x80\x99s effectiveness and victim satisfaction with the\nsystem as a whole, we conducted surveys of both active and inactive users\nto examine their level of satisfaction with the VNS. Additionally, we\nreviewed a 2003 BOP survey of its own VNS users. We also conducted our\nown review of VNS services from the perspective of a victim active in the\nsystem. Specifically, we requested and were provided a test victim account\nthat we used to access the VNS victim-user website, known as the Victim\nInternet System (VIS), and the VNS Call Center\xe2\x80\x99s automated and staff\nassistance.\n\nVNS Active Victim User Satisfaction\n\n      Our survey of victims identified as being active in the VNS covered\nmany different aspects of the system, including the notification process, use\nof the VIS, and interaction with the VNS Call Center. From a universe of\n618,203 victims active in the VNS during FYs 2005 and 2006, we selected a\n\n                                26\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n\n\nstratified sample and mailed out surveys to 2,762 victims. We received\n691 responses for a 25-percent return rate. We reviewed these submissions\nand identified 531 valid responses upon which we conducted our subsequent\nanalyses. 28\n\n      Overall, we found that our victim respondents were generally satisfied\nwith what is provided to them through the VNS and that they found VNS\nservices, such as the Call Center and the VIS, relatively easy to use.\nHowever, we identified areas of concern in our respondents\xe2\x80\x99 knowledge of\nthe VNS\xe2\x80\x99s existence, overall use of the VIS by victims active in the system,\nand information provided in the area of restitution.\n\nVictim Notifications\n\n      In our survey, we solicited comments from victim respondents\nregarding notifications of case information from the VNS and found that\n173 (25 percent) of the original 691 survey respondents indicated that they\ndid not know about the VNS, had never received a notification, or were\nunaware of their status as a victim of a federal crime. Further, some of\nthese respondents reported that our survey was the first piece of\ncorrespondence they believed they had received regarding the VNS, and\nthus they had no idea why they had received the survey.\n\n       The number and nature of these comments is troubling. Based upon\nour analysis, it appears that there are a significant number of federal crime\nvictims who have no knowledge that their personal information is contained\nwithin such a government database. We are aware of the statutory\nrequirements that victims be notified of events that occur in their cases\n(and, thus, require that their information be contained in the VNS).\nHowever, in addition to the legal requirement to include them in the VNS, it\nis also important that EOUSA ensure that victims: (1) are aware that they\nare victims of a federal crime, (2) are aware that their personal information\nis contained within the VNS, and (3) have been afforded the opportunity to\ndecide whether they wish to receive notifications of events that occur within\ntheir cases.\n\n     In light of victims\xe2\x80\x99 comments, we reviewed notification data provided\nby EOUSA. According to EOUSA, at the time we deployed our survey each of\n\n\n\n\n      28\n         Additional information on this survey\xe2\x80\x99s scope and methodology can be found in\nAppendix VII.\n\n\n                                   27\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n\n\nthe 173 respondents had been sent between 1 and 160 notifications, with\nthe average number of notifications sent being 18. 29\n\n       The fact that a quarter of our respondents indicated they did not know\nthey were victims, despite the fact that EOUSA indicated that the individual\nhad been sent at least one notification, indicates that the VNS might not be\nas effective as possible at keeping victims informed of case events. These\nresults are similar to comments from the 2003 BOP survey of its employees\nwho utilized the VNS. According to that survey\xe2\x80\x99s results, BOP users noted\nthat in large fraud cases many victims were surprised by the notifications.\nIn other instances, BOP users reported receiving calls from victims who\nindicated that they did not understand why they were being contacted and\ndid not know anything about the inmate referred to in the VNS notification\nthat was sent to them.\n\n        We spoke with EOUSA officials about this issue and they acknowledged\nthat they have no formal follow-up process to ensure that victims receive\nnotifications from the VNS. In contrast to EOUSA, the BOP has formalized\ninitial notification quality control procedures included in their policies and\nprocedures for the VNS. According to BOP policies, BOP staff perform\nfollow-up work subsequent to sending notification correspondence to victims\nby ensuring each victim receives the notification. If the victim\xe2\x80\x99s preferred\nmethod of contact is unsuccessful, BOP staff are required to follow up with a\nnotification letter to the victim.\n\n      According to EOUSA officials, sending follow-up letters would be overly\nburdensome on federal VNS users, and EOUSA was moving towards using\nthe VIS as an alternative to written notification. However, we believe that,\nbecause the purpose of the VNS is to notify victims, the responsibility to do\nso should not end with making sure notifications are sent. Further, because\nour survey also identified that relatively few respondents were actively using\nthe VIS, we believe EOUSA should take steps to ensure that victims are\nreceiving at least their initial notifications, including improving its efforts to\nupdate victim contact information and addressing undeliverable\ncorrespondence and e-mail. 30\n\n\n\n\n      29\n         The data on notifications sent includes information provided via numerous\nmethods, including letter, e-mail, or posting on the VNS website, VIS.\n      30\n          Information about victim use of the VIS, which we obtained through our survey,\nbegins on page 31.\n\n                                   28\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n      Understanding Notifications\n\n       The format of the notification letters sent to victims is standardized.\nPrior to February 2006, federal VNS users were able to edit the text and\nadjust the format of the notification letters. EOUSA removed this editing\ncapability to ensure that all notifications sent to victims contained necessary,\nstandardized language. Although federal VNS users can add additional\ninformation to a letter, they cannot alter the format to ensure that it fits with\nthe specific case for which it is being sent.\n\n       During the course of our audit, we spoke with federal VNS users and\nthe VNS Call Center about the notifications. Many noted that information in\nnotifications became confusing and sometimes contradictory when various\ntypes of notifications were combined in the same letter, and that the\nstandard templates allowed little room to change information to clarify or\ncorrect the letters. Some also believed that letters generated by the VNS\nare vague and impersonal and can be insensitive to victims. Moreover, Call\nCenter personnel told us that 70 to 80 percent of victims who contact the\nVNS Call Center do not know why they have been sent these letters, and\nthat the letters do not clearly indicate that recipients are receiving the\ncorrespondence because they have been identified as victims of a federal\ncrime.\n\n       The VNS Project Manager told us the standard templates were created to\nease the notification burden for federal VNS users and allow them more time to\nassist victims in other ways, such as FBI Victim Specialists who provide other\nsocial services directly to victims in the field. According to EOUSA officials, they\nare aware that changes to the standard letters have been requested, but they\nsaid that certain language is required and the information currently conveyed is\ndesigned to provide the required information in a brief and accurate manner.\nEOUSA officials also noted that they have revised the standard language of the\nnotifications once, at the behest of and with input from government VNS users.\nMoreover, the current template allows federal VNS users to add as much\nadditional text to any of the standard language as necessary to help clarify the\nevent for the victims. EOUSA officials also stated that they will make\nconstructive revisions to the standard language of the notifications as necessary\nto meet statutory notification requirements.\n\n      In light of this issue, we asked survey respondents to indicate how easy it\nwas to understand the information provided in the notifications they received.\nAs shown in the following table, more than 80 percent of the responses\nindicated that the notifications were at least understandable, while less than\n20 percent indicated that they found the notifications difficult to understand.\n\n\n                                 29\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                           REDACTED FOR PUBLIC RELEASE\n\n\n\n                    How easy is it for you to understand the information\n                                     in the notifications?\n                                     Number of          Percent of           Grouped\n                Choices\n                                    Respondents        Respondents         Percentages\n\n   Very Easy to Understand              119                  26\n\n\n      Easy to Understand                120                  26                 82\n\n\n            Understandable              134                  30\n\n\n     Difficult to Understand              51                 11\n\n            Very Difficult to\n                                          8                  2                  18\n              Understand\n\n     Extremely Difficult to\n                                          21                 5\n          Understand\n\n                Totals                 453 31               100                100\n   Source: OIG survey of active victims\n\n       Usefulness of Notifications\n\n      We also asked the respondents to our survey about the usefulness of\nthe information provided in the notifications. As shown in the following\ntable, we found that almost half (48%) of the 448 victims who responded to\nthis question found notifications to be useful to some degree, while 69 of the\n448 respondents (15%) indicated they were not useful.\n\n\n\n\n       31\n           Out of the 531 overall valid responses to our survey, 453 respondents answered\nthis particular question, while 78 did not. Thus, we excluded from the analysis depicted in\nthis table the 78 survey respondents who did not respond to this question.\n\n                                       30\n                           REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\n              Overall, how useful was the information provided to you\n                               in the notification(s)?\n                                    Number of          Percent of           Grouped\n              Choices\n                                   Respondents        Respondents         Percentages\n         Very Useful                    68                 15\n                                                                                48\n            Useful                      148                33\n           Neutral                      163                36                   36\n         Not Useful                     37                  8\n                                                                                15\n       Not Useful at All                32                  7\n           Totals                      448 32             100 33              10033\n       Source: OIG survey of active victims\n\nThe Victim Internet System\n\n      As previously noted, the VIS is a web-based application that allows\nvictims to have access to a subset of VNS data via the Internet. To\ndetermine the effectiveness of the VIS for victims, we included questions\nabout the VIS in our victim surveys. We also utilized our test victim account\nand conducted our own testing of the VIS to assess how easy or difficult it\nwas to use.\n\n      In analyzing the completed surveys, we observed that only 98 of the\n531 victims who returned valid responses indicated that they accessed the\nVIS to review their case information. 34 This 18-percent VIS usage rate may\nbe of concern to EOUSA, as officials informed us on more than one occasion\nthat EOUSA prefers and has attempted to encourage victims to utilize the\nInternet-based VIS instead of relying on written notifications or the Call\nCenter.\n\n       Accessing the VIS\n\n      As shown in the following graphic, which depicts the frequency with\nwhich the 98 victim respondents indicated that they had accessed the VIS,\n27 victims (28 percent) stated that they had not accessed the website since\n\n\n\n       32\n           Out of the 531 overall valid responses to our survey, 448 respondents answered\nthis particular question, while 83 did not. Thus, we excluded from the analysis depicted in\nthis table the 83 survey respondents who did not respond to this question.\n       33\n            The numbers in these columns add up to 99 due to rounding.\n       34\n         We conducted all of our analyses related to the VIS on this universe of\n98 respondents who indicated that they accessed the VIS to review case information.\n\n                                     31\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nthey first set up their account while 45 percent of the respondents used it\nmonthly or quarterly.\n\n    How often have you accessed the VNS website (VIS) for information?\n\n\n\n\n                                            Never Accessed\n                          Annually            After Setup\n                            16                     27\n\n\n\n                                                      No Response\n                                                           5\n\n                                                         Weekly\n                           Quarterly                       5\n                             31\n                                               Monthly\n                                                 14\n\n\n\n\n                       Source: OIG survey of active victims\n\n      In our survey, we also asked victims how easy or difficult the process\nwas to set up their website accounts. As shown in the following chart, the\nmajority of the victims (58 out of 98) who accessed the website found\nsetting up their user accounts to be easy while 14 victims found it somewhat\nor very difficult.\n\n\n\n\n                                32\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n                 How easy or hard was the process to set up\n                     your VNS website (VIS) account?\n\n\n\n\n                                         Very & Somewhat\n                                               Easy\n                                                58\n\n                   No Response\n                        4\n\n                     Very & Somewhat\n                           Hard\n                            14\n                                       Neither Hard nor\n                                             Easy\n                                              22\n\n\n\n\n                        Source: OIG survey of active victims\n\n      Despite this relatively positive overall response, some of the\nresponding victims commented on problems they encountered with the\nprocess. Their comments included: \xe2\x80\x9cI tried to access the VNS website, but\nwas unable;\xe2\x80\x9d \xe2\x80\x9cI received the VNS letter, but [the] letter has no VIN number\nor PIN number;\xe2\x80\x9d and \xe2\x80\x9c[I need] easier access to [the] website.\xe2\x80\x9d\n\n        We also utilized our test victim status to set up a VIS user account. In\ndoing so, we noted that the process includes steps that could be confusing\nfor victims. Specifically, notification letters advise victims to use their Victim\nIdentification Number (VIN) and Personal Identification Number (PIN)\nanytime they contact the Call Center or log on to the VIS. When we\naccessed the VIS, we were clearly requested to input our VIN. However, we\nwere not clearly asked for the PIN. Rather, we were asked for our VNS\nLogin ID (Password) to enter the website. EOUSA officials explained that the\nfirst time a victim logs into the VIS, they need to use their PIN as the VNS\nLogin ID. Victims are then prompted to create a VNS Login ID for future\naccess to the VIS. The originally issued PIN, however, remains active for\naccess to the VNS Call Center. None of this was explained on the VIS\nwebsite, nor in the letters. EOUSA officials stated that they will undertake a\nreview of VIS access to improve these controls and work to explain this\nprocedure in more detail.\n\n\n                                 33\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n     Comprehension of VIS Data and Ease of Navigation\n\n      We also addressed the comprehensibility of information in the VIS in\nour victim survey. We asked victims how easy it was for them to\nunderstand the information on the website, and found that only 9 out of\n98 respondents indicated that the information was difficult to understand,\nwhile the majority found the information easy to understand.\n\n           How easy was it for you to understand the information\n                       on the VNS website (VIS)?\n\n\n                                    No Response\n                                         10\n\n                         Difficult to\n                         Understand\n                              9\n\n\n\n                                                   Easy to\n                                                  Understand\n                        Neither Easy nor              56\n                            Difficult\n                               23\n\n\n\n\n                      Source: OIG survey of active victims\n\n\n      In addition, we analyzed our survey results to determine the ease with\nwhich victims navigated the VIS. According to the responses we received,\nonly 11 of the 98 respondents found navigating the VIS to be difficult.\n\n\n\n\n                                34\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n            How easy or hard is it to navigate or find information\n                      within the VNS website (VIS)?\n\n\n\n\n                                              Very &\n                                           Somewhat Easy\n                                                56\n\n\n\n                       No Response\n                            8\n\n\n                            Very &\n                         Somewhat Hard\n                              11          Neither Hard nor\n                                                Easy\n                                                 23\n\n\n\n\n                       Source: OIG survey of active victims\n\n     Usefulness of VIS Information\n\n       One survey question asked victims if they thought the information\nprovided on the VIS was useful. As depicted in the following graphic, one-\nhalf of the respondents found information on the VIS to be useful, while only\nseven victims indicated the information was not useful.\n\n           Overall, how useful is the information provided to you\n                        on the VNS website (VIS)?\n\n\n\n\n                         No Response              Very Useful -\n                              13                     Useful\n                                                       49\n                       Not Useful\n                           7\n\n\n\n\n                                     Neutral\n                                       29\n\n\n\n\n                       Source: OIG survey of active victims\n\n                                35\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n\n\n       Restitution\n\n      In our conversations with EOUSA officials, they stated that victims\nfrequently asked about restitution.35 In light of this, we included questions\nabout the level of satisfaction victims had in regard to restitution information\navailable on the VIS. Of the 98 respondents who utilized the VIS,\n39 (40 percent) indicated that they accessed the website for information\nregarding restitution. Of those respondents, 56 percent were dissatisfied or\nextremely dissatisfied with the restitution information they received from the\nVIS. This analysis is shown in the following chart.\n\n\n    How satisfied were you with the restitution information you received?\n\n\n\n\n                                      Satisfied - Extremely\n                                            Satisfied\n                                                15\n\n                      No Response\n                           2\n\n\n\n\n                                           Dissatisfied -\n                                       Extremely Dissatisfied\n                                                22\n\n\n\n\n                           Source: OIG survey of active victims\n\n      Many of the respondents who indicated that they were dissatisfied with\nthe restitution information provided additional comments, such as:\n\n       \xe2\x80\xa2      I received little notice, not restitution, not even updates. I had\n              to send in victim information on more than 2 occasions \xe2\x80\x93 and I\n              currently don\'t know if I\'ll get any of my money back.\n\n\n       35\n           Restitution is defined on the VIS as a court order directing the defendant to pay a\nfixed amount of money to the victim in order to compensate the victim for loss incurred as a\nresult of the crime.\n\n                                    36\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\n      \xe2\x80\xa2     I seemed to get the "run around." There were no direct answers\n            to my questions regarding restitution. The only thing that I was\n            told was that they were proceeding with the investigation and I\n            would be informed and updated. I haven\'t heard anything in a\n            couple [of] years.\n\n       Because of the concern regarding restitution information noted by\nEOUSA and reaffirmed by the response to our survey, we used our test\nvictim account to review restitution information provided in the VIS. We\nfound that the information in the VIS related to restitution was not clearly\nwritten. Specifically, it was not apparent from the information available on\nthe website whether or not our test victim was awarded restitution, and we\nbelieve that it would have been helpful if the VIS clearly indicated whether\nour case had restitution considerations. We discussed the restitution issue\nwith EOUSA officials, who noted that informing victims that they are not\nreceiving restitution is not required. However, EOUSA officials stated that\nthey will change the language in the VIS \xe2\x80\x9chelp\xe2\x80\x9d section to indicate that\nrestitution information will only appear as that information is approved by\nthe USAOs. Considering the importance that responding survey victims\nplaced on restitution, we believe that the VIS could be improved by clearly\nindicating whether or not a case had restitution considerations, and we\nencourage EOUSA to make the described changes to language in the VIS to\nfurther clarify this matter to victims.\n\nThe VNS Call Center\n\n       In addition to the Internet-based VIS, a Call Center is maintained\nwhere victims can call a toll-free number and receive assistance via an\nautomated response system or speak with an operator to receive\ninformation. While the automated system provides automated readings of\nnotifications and gives victims the option to access other services available\nthrough the automated system, operators who staff the live assistance\noption can provide victims answers to a limited number of questions, direct\nvictims where to call for further information, and provide information to\nfederal VNS users.\n\n      We included questions about victims\xe2\x80\x99 experience with the VNS Call\nCenter in our survey of victims identified as active in the VNS. Initially, we\nasked victims whether they called the toll-free number for Call Center\nassistance and found that only 59 (11 percent) of the 531 valid victim\nresponses indicated that they had called the toll-free number, while\n383 (72 percent) responded they had not done so. We then assessed the\nresponses from the 59 victims who responded that they had called the toll-\nfree number and determined that 29 indicated that they had terminated\n\n                                  37\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                          REDACTED FOR PUBLIC RELEASE\n\n\ntheir calls before receiving assistance for a variety of reasons.\n\n      We also reviewed our response data to determine what type of Call\nCenter assistance our respondents had utilized: automated assistance, staff\nassistance, or a combination of both. As shown in the following table, we found\nthat of the 59 respondents who had utilized the Call Center, 22 used automated\nassistance, 20 used staff assistance, and 15 utilized a combination of both. 36\n\n               What type of assistance did you receive from the Call Center?\n                 Type of Assistance                Number       Percentage 37\n             Automated                               22              37\n             Operator                                20              34\n             Both                                    15              25\n             No Answer                               02              03\n            Source: OIG survey of active victims\n\n      In order to capture all of the victims utilizing a particular type of assistance,\nwe included the 15 victims who indicated they had utilized both types of Call\nCenter assistance in our separate analyses of automated and operator assistance.\n\n       Automated Assistance\n\n      As noted in the preceding table, of the 57 victims using Call Center\nservices, 37 (65 percent) used automated assistance or a combination of\nautomated and operator assistance. Additional questions answered by these\n37 victims indicated that while 12 of them (32 percent) always or often\nreceived information, 15 (41 percent) responded that they never or rarely\nreceived information, and 5 (14 percent) only sometimes received\ninformation.\n\n\n\n\n       36\n         Two of the 59 respondents who indicated that they had called the toll-free\nnumber did not respond to this question.\n       37\n            The numbers in this column add up to 99 due to rounding.\n\n                                      38\n                          REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n\n\n                Did you receive the information you wanted\n                       from the automated system?\n\n\n\n                               No Response\n                                    5            Always\n                                                    7\n\n\n\n\n                           Never                          Often\n                             9                              5\n\n\n\n                                                 Sometimes\n                                                    5\n                                     Rarely\n                                       6\n\n\n\n\n                      Source: OIG survey of active victims\n\n\n      We also asked our survey respondents about the ease with which they\nwere able to access information about their cases by using the automated\nsystem. As shown in the following chart, the majority of respondents \xe2\x80\x93 21 \xe2\x80\x93\n(57 percent) indicated that they found the automated system to be at least\nsomewhat easy to use, while 11 respondents (30 percent) indicated that\naccessing information was not easy.\n\n    How easy is it to access information through the automated system?\n\n\n\n                               No Response\n                                    5\n\n                                                 Very Easy &\n                                                    Easy\n                                                      13\n                         Not Easy & Not\n                           Easy at all\n                               11\n\n\n                                          Somewhat Easy\n                                               8\n\n\n\n\n                      Source: OIG survey of active victims\n\n\n\n\n                               39\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n      In response to our questions regarding what additional information the\nrespondents would like to be able to receive from the automated assistance\nservice, victims generally indicated that they would like current and more\ncase information, such as restitution and custody status. Additionally, they\nwould like to be able to easily gain access to a human operator from the\nautomated assistance.\n\n      Similar to our evaluation of the VIS, we used our test victim account to\nassess the automated assistance provided by the VNS Call Center. We were\nable to access some of the automated features and identified areas that we\nbelieve could cause confusion for victims attempting to utilize these\nfunctions. For example, we noted some confusion in the numbers a victim\nneeds to press in order to access certain VNS services. At the first prompt,\nthe caller must press \xe2\x80\x9c2\xe2\x80\x9d to hear information in Spanish. Another prompt\ninstructed the caller to press \xe2\x80\x9c2\xe2\x80\x9d at anytime during the message to return to\nthe main menu. However, when we pressed \xe2\x80\x9c2,\xe2\x80\x9d we were not directed to\nthe beginning menu option. Rather, pressing \xe2\x80\x9c2\xe2\x80\x9d prompted an automated\nmessage that advised us to call the number on our initial notification letter if\nwe needed assistance, and also advised us we could go to the website.\nAdditionally, once we entered the automated system and made our first\nselection, there was no means for us to speak with an operator aside from\nhanging up and calling back.\n\n      Moreover, events were listed by defendant but not all historical events\nwere provided, although this information was provided when we used the\nVIS. There also was no information available for any government-contact\npersonnel working on a case. In addition, the automated assistance spelled\nout rather than said each defendant\xe2\x80\x99s name. As a result, it was a very long\nprocess to get to the defendant\xe2\x80\x99s information.\n\n       Overall, from the results of our survey as well as our own testing, we\nfound that accessing the VNS\xe2\x80\x99s automated assistance could be challenging.\nThe automated assistance was sometimes confusing, information available\nwas limited in comparison to information available for the same case via the\nVIS, and obtaining the information could be a lengthy process. We believe\nthat EOUSA should take necessary steps to improve the automated\nassistance system and make it more user-friendly for victims. At a\nminimum, users should be able to access an operator at any time during the\ncall by pressing a single key, such as \xe2\x80\x9c0.\xe2\x80\x9d\n\n      Call Center Operator Assistance\n\n     In addition to the Call Center\xe2\x80\x99s automated assistance, our victim\nsurvey included questions regarding the use of Call Center operator\n\n                                 40\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nassistance via its toll-free number. According to Call Center staff, they can\nprovide contact information for further assistance and provide case-specific\ninformation related to 10 areas:\n\n     1)     Current offender custody status\n     2)     Current investigative status of case\n     3)     Arrests made in the case\n     4)     Sentencing information\n     5)     Pleas made by defendant\n     6)     Type of next court event\n     7)     Date of next court event\n     8)     Time of next court event\n     9)     Inmate location\n    10)     Inmate scheduled release date\n\n      As indicated in the chart on page 38, we found that 35 of the\n59 victims who indicated that they utilized Call Center services also indicated\nthat they had utilized the Call Center\xe2\x80\x99s operator assistance. For this\nanalysis, we evaluated information provided by these 35 respondents who\nhad utilized the operator assistance. As shown in the following chart,\n16 respondents (46 percent) indicated that they always or often received the\ninformation they wanted, while only 6 respondents (17 percent) indicated\nthat they never or rarely received the information.\n\n                Did you receive the information you wanted?\n                     (from Live Call Center Assistance)\n\n\n                               No Response\n                                    5\n\n\n\n\n                        Never & Rarely        Always & Often\n                              6                    16\n\n\n\n\n                                  Sometimes\n                                     8\n\n\n\n\n                       Source: OIG survey of active victims\n\n\n\n                                41\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\n      We also solicited comments from the survey respondents about the\nCall Center\xe2\x80\x99s operator assistance. We found that 14 out of 29 respondents\nindicated that they were dissatisfied with the system because: (1) it lacked\ninformation regarding restitution; (2) it did not contain the updated\ninformation on the case or the custody of the defendant; and (3) the system\ngenerally did not have enough information and assistance. 38\n\n       In response to these comments, EOUSA stated that the Call Center\nservice level for victims is appropriate given the goals of the VNS project and\nthe information available to individuals at the Call Center. Those goals are\nto provide victims the information required by the applicable statutes and\nthe Attorney General Guidelines for Victim-Witness Assistance. EOUSA\nofficials further explained that when victims have questions beyond the\nscope of VNS-related events, Call Center personnel direct the caller to the\nvictim staff person of the agency currently involved with the case. This\nensures that the victim speaks with someone who is familiar with the facts of\nthe case and can provide the most up-to-date, accurate information,\nincluding information that is not available in the VNS.\n\n      We identified several additional issues when we performed our own\nevaluation of the Call Center\xe2\x80\x99s operator assistance. For example, we found\nthat the only opportunity a victim has to speak with an operator occurs at\nthe beginning of the call. If a caller does not immediately select that option\n(perhaps before the caller has received much information or had the time to\ndevelop questions), the caller must hang up, call back, and select to speak\nwith a human operator at the outset of the call.\n\n      Another issue we identified is that, according to the VNS contract, a\nvictim must have the option of speaking directly with a Call Center operator\nto be able to obtain case information in either English or Spanish. However,\nas of June 2007, the Call Center had only a single Spanish-speaking operator\non staff, meaning that there are times each day when the Call Center is\nunable to provide this service to victims. According to EOUSA officials,\nsubsequent to our discussion, they informed the contractor of the\nrequirement that a Spanish-speaking operator must be on duty during all\nCall Center operating hours. As a result, the contractor is now planning to\nadd another Spanish-speaking operator to the Call Center.\n\n      In sum, while some victim survey respondents commented on their\ndispleasure with the Call Center\xe2\x80\x99s operator assistance, the majority of our\n\n\n      38\n         Respondent comments on Call Center operator assistance can be found in\nAppendix IX.\n\n\n                                  42\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n\n\nsurvey respondents indicated that they received the information they\nneeded. However, based on our testing, we believe EOUSA could improve\nthe effectiveness of the Call Center\xe2\x80\x99s operator assistance by allowing callers\nto access a human operator at more points during a call, having a Spanish-\nspeaking operator on duty during all hours of operation, and by allowing Call\nCenter operators to provide more information to victims who contact them.\n\nAvailability of Custody Status Data\n\n       Access to defendant custody data is one of the most important\nfeatures of the VNS. The Attorney General Victim Witness Guidelines direct\nagencies to notify victims of the release or escape of an offender or\nsuspected offender. However, the USAOs do not consistently enter\ndefendant custody status information into the VNS during the prosecutorial\nphase. 39 The VNS Project Manager stated that the USAOs do not\nconsistently enter into the VNS custody status information on defendants\nduring the criminal justice process and obtaining this information is not a top\npriority for the VNS.\n\n      We included questions about the importance of custody status in our\nsurvey of victims active in the VNS. As shown in the following graphic,\n375 out of the 531 victims who responded to this question (71 percent)\nindicated that they considered knowing the custody status of the defendant\nto be \xe2\x80\x9cExtremely Important,\xe2\x80\x9d \xe2\x80\x9cVery Important,\xe2\x80\x9d or \xe2\x80\x9cImportant.\xe2\x80\x9d\n\n\n\n\n      39\n          During the prosecutorial phase, a defendant may be released on bond or\nremanded into the custody of the respective U.S. Marshal to stand trial. Once a defendant\nhas been convicted, sentenced, and remanded to a BOP correctional facility, the defendant\nmoves to the incarceration phase and the provision of custody status information becomes\nthe responsibility of the BOP.\n\n                                   43\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n\n\n How important is it for you to know the custody status (incarcerated or not\n        incarcerated) of the defendant(s)/inmate(s) in your case?\n\n\n                    Important-Extremely\n                        Important\n                            375\n\n\n\n\n                                          Not Important\n                                               121\n\n\n\n\n                                                           No Response\n                                                                35\n\n Source: OIG survey of active victims\n\n       The USMS is the only entity that tracks the pre-sentencing custody\nstatus of federal defendants. We believe that it is important for the custody\nstatus of defendants in the prosecutorial phase to be provided to victims, as\nrequired by DOJ guidelines. We raised this issue with EOUSA officials in\nJune 2007, noting that we were told by USMS officials that the USMS had\nnever been approached by EOUSA to connect to the VNS. In response,\nEOUSA officials stated that funding an electronic interface between the VNS\nand the USMS was an issue, but requested contact information for the USMS\nofficials we interviewed.\n\n      In August 2007, EOUSA officials advised us that providing custody\nstatus to victims would be a priority and that they had reached out to the\nUSMS regarding this issue. According to EOUSA, the USMS is willing to\nprovide custody status information to VNS. Further, EOUSA has provided\ndirect appropriated money to fund any system changes that will be needed\nto accept data from the USMS.\n\n\n\n                                  44\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n\n\nVictims No Longer Active in the VNS\n\n      In addition to surveying active victims, we conducted a survey of\nvictims who were no longer active in the VNS. These victims had once been\nactive in the VNS, but had, for a variety of reasons, been \xe2\x80\x9cdeactivated\xe2\x80\x9d and\nwere now in an \xe2\x80\x9copt-out\xe2\x80\x9d status. 40 We designed this part of the survey to\ndetermine whether the opted-out victims received an initial notification from\na federal agency regarding the VNS and whether they subsequently chose\nnot to receive notifications.\n\n      Victims may choose to \xe2\x80\x9copt-out\xe2\x80\x9d of the VNS themselves or be opted-\nout when a federal VNS user chooses to stop sending them notifications.\nThe VNS contains a field that offers one of four options that may be chosen\nto record the reason a victim is opted-out, as follows:\n\n       \xe2\x80\xa2      Contact Choice indicates that the victim chose to be opted-out.\n              Federal VNS users issue letters to these victims confirming they\n              have been opted-out of the VNS.\n\n       \xe2\x80\xa2      Invalid Address indicates the victim was opted-out due to an\n              invalid address or letters that could not be delivered. Because of\n              incorrect addresses there is no letter sent to alert the victim that\n              they were opted-out of the system.\n\n       \xe2\x80\xa2      User Choice indicates the federal VNS user has decided to opt a\n              victim out of the VNS. However, federal VNS users do not send\n              letters alerting victims that they were opted-out of the system.\n\n       \xe2\x80\xa2      No Longer a Victim indicates that the federal VNS user\n              determined the person who was originally notified of being a\n              victim is no longer considered one.\n\n      Through our analyses of VNS data, we determined that\n164,493 victims were opted-out of the system between the VNS\xe2\x80\x99s inception\nin October 2001 and September 20, 2006. We further analyzed the data to\ndetermine the reason these victims were opted-out of the system.\n\n\n\n\n       40\n          According to the VNS Manual, \xe2\x80\x9copt-out\xe2\x80\x9d indicates the status of a registered victim\nor contact who does not receive notifications and cannot access the VNS Inbound phone line\nor Internet web page. Although these victims are no longer considered to be active in the\nVNS, their names and information remain in the system.\n\n                                    45\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n                   VICTIMS OPTED-OUT OF THE VNS\n                  October 2001 to September 20, 2006\n                               Number of\n         Opt-Out Reasons      Registrants        Percentage\n         Contact Choice              4,144              3%\n         Invalid Address            79,597             48%\n         User Choice                28,486             17%\n         No Longer a Victim             17             <1%\n         No Reason Given            52,249             32%\n         Total                    164,493             100%\n         Source: OIG analysis of VNS data\n\n      We are concerned with the high number of victims identified as opted\nout due to invalid address information. This number is in addition to our\nother findings related to undeliverable mail and incorrect contact\ninformation. We believe that these opted-out victims with invalid address\ninformation are further evidence that EOUSA needs to improve its efforts to\nmaintain up-to-date contact information, as recommended in Finding I.\n\n       We are also concerned with the high percentage of victims opted out\nof the VNS with no reason given. We discussed this issue with EOUSA\nofficials, who confirmed that it is not mandatory to include in the VNS the\nreason a victim is opted-out. We believe that because there is no\nrequirement for recording why someone was removed from the VNS, there is\nno easy means available to review a record to ensure that the victim was\nopted-out for a valid reason.\n\n     To maximize our response rate from those victims more recently\nopted-out of the system, we identified 71,179 victims who were opted-out of\nthe VNS during the 2 full fiscal years prior to our analysis \xe2\x80\x93 2005 and 2006.\nAs shown in the following table, 73 percent of these 71,179 victims were\nopted-out of the VNS due to an invalid address, while 10 percent were\nopted-out with no reason provided.\n\n\n\n\n                                 46\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n\n\n                     VICTIMS OPTED-OUT OF THE VNS\n              October 1, 2004, through September 30, 2006\n                                 Number of\n           Opt-Out Reasons      Registrants    Percent Value\n           Contact Choice              1,580              2%\n           Invalid Address           52,029             73%\n           User Choice               10,548             15%\n           No Longer a Victim             56            <1%\n           No Reason Given             6,966            10%\n           Total                    71,179             100%\n           Source: OIG analysis of VNS data\n\n       We then analyzed this data, selected a sample, and sent surveys to\n480 victims. 41 We received 58 responses to our survey, resulting in a\n12-percent response rate. 42 We then analyzed these 58 responses and\nisolated 44 out of the total that we considered to be valid.\n\n      We conducted analyses on these 44 responses and determined, as the\nfollowing graphic shows, that only 18 percent (8 respondents) chose not to\nreceive notification information.\n\n               Did you choose not to receive notification from the\n                          Victim Notification System?\n\n\n\n\n                                              Do Not Recall\n                                                   10\n\n\n                                     No\n                                     26                Yes\n                                                        8\n\n\n\n\n                   Source: OIG survey of victims opted-out of the VNS\n\n\n      41\n          A detailed description of our opt-out survey\xe2\x80\x99s scope and methodology can be\nfound in Appendix VIII.\n      42\n          Of the 480 surveys that we sent out, 58 percent (280) were returned as\nundeliverable.\n\n                                   47\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n\n\n      Furthermore, only three of our respondents (7 percent) indicated that\nthey were informed by a federal agency that they were opted-out of the VNS\nand would no longer receive notifications.\n\n    If it was not your choice, were you informed by a federal agency that\n                   you would no longer receive notification?\n\n\n\n\n                                 No\n                                                No Response\n                                52%\n                                                    41%\n\n\n\n\n                                          Yes\n                                          7%\n\n\n\n                 Source: OIG survey of victims opted-out of the VNS\n\n       Overall, based on the high rate of undeliverable surveys, as well as the\nrelatively low overall response rate, our survey of opted-out victims did not\nprovide clear evidence about why victims opt-out of the system. However,\nwe found that the majority of our respondents who did not choose to opt-out\nwere not informed by a federal agency that they would no longer receive\nnotifications from the VNS.\n\nConclusion\n\n       To gauge if victims are effectively being notified by the VNS of\nimportant case-related information, we conducted a survey of victims\nconsidered to be active in the VNS, utilized VNS services from a victim\xe2\x80\x99s\nperspective by using a VNS test user account, and interviewed federal VNS\nusers and VNS Call Center personnel. In general, the victims who responded\nto our survey were satisfied with the VNS and indicated that they felt VNS\nnotifications were useful and easy to understand.\n\n      However, we identified areas in which we believe EOUSA could\nimprove the services the VNS provides to victims. For example,\napproximately 25 percent of our victim respondents were unaware of the\nVNS, had never received a notification, or were unaware of their status as a\nvictim of a federal crime, despite having been sent at least one VNS\n\n\n                                 48\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nnotification. These results indicate that many victims may not have been\nnotified of case events.\n\n       Our interviews with government VNS users and Call Center personnel,\nas well as our own review of notifications provided to victims, found that\nnotifications sent through the VNS did not always provide enough\ninformation to victims and that the standardized language within them can\nsometimes limit the effectiveness of the information provided.\n\n       From our survey, we determined that while the VNS website generally\nprovides useful and understandable information to victims, the process and\nrequisite passwords required to access it can sometimes be confusing and\ndifficult. Additionally, we found that our respondents desired more\ninformation regarding restitution than what was provided on the website.\nThrough our survey, we also determined that only a small portion of our\nrespondents were using the VNS website \xe2\x80\x93 VIS \xe2\x80\x93 to obtain information about\ntheir cases.\n\n      We also surveyed victims about their use of the Call Center and\nperformed our own testing of Call Center services to determine if the\nservices it provides are effective. We found that the automated assistance\nwas difficult to access, limited information was available to the caller, and\nthe system was difficult to navigate and not user-friendly. We also found\nthat the operator assistance option only allowed a person one opportunity to\nreach a human operator (and then only at the beginning of the call), a\nSpanish-speaking operator was not available during all hours of operation,\nand operators provided little information.\n\n      In addition to those victims considered to be active in the VNS, we also\nanalyzed data on and conducted a survey of those victims who had\npreviously been active in the system but were no longer active (referred to\nas \xe2\x80\x9copted-out\xe2\x80\x9d in the VNS). We found that the VNS allows federal VNS users\nto opt a victim out of the system without recording a reason for doing so.\nAccording to data in the VNS, as of September 20, 2006, more than\n160,000 victims had been opted-out of the VNS since its inception, with\nmore than 50,000 of them having been opted-out with no reason recorded.\nWe are concerned that because there is no requirement to list a reason,\nthere is no easy means to determine if the decision to opt-out a particular\nvictim was proper.\n\n\n\n\n                                49\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n       Our survey of victims opted-out of the VNS found that the majority of\nthe individuals who responded to our survey indicated that it had not been\ntheir choice to be opted-out of the VNS and that most were not informed by\na federal agency that they would no longer receive notifications from the\nVNS.\n\nRecommendations\n\nWe recommend that EOUSA:\n\n     8.    Improve the Call Center automated assistance to allow callers to\n           reach an operator at any point during a call.\n\n     9.    Follow up with the sub-contractor at the VNS Call Center to fulfill\n           its requirement to have a Spanish-speaking operator available\n           during all hours of operation.\n\n     10.   Work with the USMS to ensure that the accurate custody status\n           of defendants is available to victims utilizing VNS services.\n\n     11.   Ensure that information regarding restitution is consistent\n           throughout the VIS so that it is clear to victims whether\n           restitution information is available to them.\n\n     12.   Work with VNS-participating agencies to develop a requirement\n           for federal VNS users to record a reason for opting a victim out\n           of the VNS.\n\n\n\n\n                                50\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\nIII. REVIEW OF VNS INFORMATION SECURITY\n\n       We evaluated the VNS\xe2\x80\x99s information security and privacy\n       policies and identified various deficiencies, including\n       EOUSA\xe2\x80\x99s implementation of systems and communications\n       protection controls, identification and authentication,\n       website privacy, and web application controls. As a result,\n       the VNS may be susceptible to unauthorized use, access,\n       or data modification. Because the VNS contains personally\n       identifiable information (PII) for federal crime victims, such\n       as names, contact information, and some social security\n       numbers, EOUSA must improve its information security\n       practices to help ensure that the data is appropriately\n       protected against loss and misuse.\n\nBackground\n\n       During our interviews with VNS contractor personnel, we were\ninformed that some recommended security patches for the system had not\nbeen installed because the patches had not been approved by EOUSA. In\naddition, during the course of our audit we were apprised of several\nattempted electronic break-ins to the VNS, which contains personally\nidentifiable information (PII) from federal crime victims throughout the\nworld. After discussing these security issues with EOUSA officials, we\ndetermined that the sensitive nature of this information (names, contact\ninformation, some social security numbers), as well as the possible\nconsequences of failing adequately to protect it, warranted a more in-depth\nreview of the VNS\xe2\x80\x99s information security. Therefore, the OIG contracted\nwith outside auditors, Urbach, Kahn, & Werlin, LLP (UKW), to conduct an\nindependent assessment in accordance with the Government Accountability\nOffice\xe2\x80\x99s (GAO) Generally Accepted Government Auditing Standards. 43, 44\n\nObjectives, Scope, and Methodology of Review\n\n      We conducted an independent assessment to evaluate whether the\nVNS was properly configured to prevent unauthorized use, access, and data\nmodification from sensitive and potentially vulnerable access points. We\nalso determined whether information security control weaknesses exist\nsurrounding the VNS\xe2\x80\x99s web interface; as well as to identify weaknesses\n\n       43\n           In this section of our report, \xe2\x80\x9cwe\xe2\x80\x9d and \xe2\x80\x9cour\xe2\x80\x9d refer to the auditors working under\nthe direction of the OIG.\n       44\n          The OIG regularly contracts with independent auditing firms to fulfill its\nresponsibilities under the Federal Information Security Management Act.\n\n                                     51\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                           REDACTED FOR PUBLIC RELEASE\n\n\n   associated with data collection, transmission, data storage, and PII. Further,\n   we assessed the VNS\xe2\x80\x99s compliance with applicable federal information\n   security policies and procedures for DOJ and EOUSA.\n\n         We performed a vulnerability assessment of the information security\n   configuration of the VNS and tested web application security controls for the\n   VIS. In order to identify whether the VNS complied with DOJ and federal\n   privacy and information security policies, we performed interviews, on-site\n   observations, and reviews of information security-related documents.\n\n   Overview of Information Security Controls Review Results\n\n        We concluded that the following information security control\n   weaknesses exist within the VNS:\n\n\n Information Security Control Areas                        Function\n\n                                        To prevent unauthorized and unintended\nSystems and Communications Protection   information transfer via shared system\n                                        resources.\n                                        To verify the identity of users when accessing\nIdentification and Authentication\n                                        the system.\n\nWebsite Privacy                         To protect data collection and PII.\n\n                                        To determine the adequacy of security\n                                        measures, identify security deficiencies,\n                                        provide data from which to extrapolate the\nVNS Vulnerability Assessment            effectiveness of proposed security measures,\n                                        and confirm the adequacy of such measures\n                                        after implementation.\n\n                                        To identify issues related to vulnerabilities and\nWeb Application Controls\n                                        risks associated with web applications.\n\n\n          We concluded that these deficiencies exist because EOUSA did not\n   always fully develop, enforce, or formalize information technology (IT)\n   security and privacy policies and procedures in accordance with current DOJ\n   policies and procedures. We considered these weaknesses a moderate risk\n   to the protection of the VNS and its data from unauthorized use, disclosure,\n   loss, or modification in accordance with Federal Information Processing\n\n\n\n\n                                       52\n                           REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\nStandards (FIPS) Publication (PUB) 199. 45 Specific details regarding findings\nidentified during this review are discussed within the following sections.\n\nSystems and Communications Protection Controls\n\n      The purpose of systems and communications protection controls is to\nprevent unauthorized and unintended information transfer between systems\nthat share the same resources. We tested 12 control areas and identified\nweaknesses in transmission integrity and data validation.\n\n       Transmission Integrity and Data Validation\n\n      Transmission integrity and data validation are controls used to check\nfor completeness and accuracy of data entered into a system. To ensure the\nintegrity of transmitted data and its validation, encryption should be used for\nthe transmission of interfacing data files.\n\n      The Department\xe2\x80\x99s Information Technology Security (ITS) standards\nrequire that checksums, hash totals, and record counts be used by\napplications to verify data integrity. 46 Components are strongly encouraged\nto have an automated means of detecting both intentional and unintentional\nmodifications of data. Further, the Department\xe2\x80\x99s ITS standards require that\ncommunication channels are protected using FIPS-approved encryption\nmodules.\n\n      We reviewed the transmission integrity and data validation\ndocumentation for five entities that transmit data into the VNS. Four were\nDepartment components \xe2\x80\x93 the FBI, the BOP, USAOs, and the Criminal\nDivision. The fifth was the USPIS.\n\n      Although EOUSA is presently encrypting the transmission of data files\nreceived from the USAOs, the DOJ Criminal Division, and the USPIS, this is\n\n       45\n           The FIPS PUB 199, Standards for Security Categorization of Federal Information\nand Information Systems is required to be used by federal agencies to categorize all\ninformation and information systems collected or maintained by or on behalf of each agency\nbased on the objectives of providing appropriate levels of information security according to\na range of risk levels. The three levels of risk \xe2\x80\x93 low, moderate, and high \xe2\x80\x93 identify the\npotential impact on organizations or individuals should there be a breach of security. The\nFIPS PUB 199 defines the potential impact as moderate if the loss of confidentiality,\nintegrity, or availability could be expected to have a serious adverse effect on organizational\noperations, organizational assets, or individuals.\n       46\n           A checksum is a type of redundancy check used to protect the integrity of data by\ndetecting errors. Hash totals are used as an integrity check to identify files or verify their\nintegrity. Record counts are used to ensure that records are not lost during transmission.\n\n                                     53\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n\n\nnot the case for the BOP and the FBI. Moreover, we found that EOUSA did\nnot always perform data validations as to the completeness or accuracy of\ndata files received from the BOP and the FBI.\n\n      By not encrypting the transmitted data or performing data integrity\nchecks, EOUSA does not have the ability to detect or prevent the alteration\nof transmitted data files. EOUSA acknowledged these deficiencies and is\ncurrently discussing the implementation of complete session encryption for\nBOP and FBI data. At the time of this report, both the FBI and the BOP\nstated that the necessary course of action was initiated in order to encrypt\nthe data transmitted to the VNS.\n\nIdentification and Authentication\n\n       Identification and authentication controls are used to verify the\nidentity of users when accessing the system. For this area, our review found\na weakness in one of the six control areas tested. 47 Specifically, we found a\ndeficiency regarding how system security information is reported in the VNS\nsystem security plan (SSP).\n\n       User identification and authentication is the process of uniquely\nidentifying and authenticating users or devices before establishing a\nconnection. Identification and authentication procedures are commonly\ncommunicated to the users in an SSP. A system security plan is designed to\nprovide an overview of the security requirements of the system and describe\nthe controls in place. SSPs are a key component of certification and\naccreditation packages and are relied upon by the designated approving\nauthority to authorize a system\xe2\x80\x99s operation.\n\n      To maintain accreditation, the Department\xe2\x80\x99s ITS standards require\neach system to be reviewed annually. Further, system documentation\nshould be modified to include any new security controls if they have been\nadded post-development.\n\n      We found that the VNS system security plan had not been updated\nwith the correct procedural information, contact information, and the correct\nprocess of authenticating users before establishing a network connection.\nWe also identified that the document contained inaccurate information. For\nexample, the VNS SSP states: \xe2\x80\x9cThe VNS application will not blank the\nscreen but will disconnect the user from the VNS after 10 minutes of\n\n       47\n           The six control areas of identification and authentication we tested were controls\nfor policy and procedures, user identification and authentication, device identification and\nauthentication, identifier management, authenticator management, and cryptographic\nmodule authentication.\n\n                                    54\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n\n\ninactivity.\xe2\x80\x9d However, we found that the VNS application is currently set to\ndisconnect the user after a period of 20 minutes of inactivity.\n\n      Without an updated SSP, the depiction of the VNS\xe2\x80\x99s system security\nand control environment may be inaccurate or incomplete, which means that\nthe individuals approving the certification and accreditation document are\ndoing so based upon out-of-date information.\n\nWebsite Privacy\n\n       Website privacy controls and data protection methods are enforced to\nprotect data collection and PII. We identified a weakness in one of the\nseven control areas tested. 48 Our review revealed that the VNS\xe2\x80\x99s external\nlinking practices failed to provide disclaimers or notifications to users when\nthey are about to visit a third-party website. The intent of external linking\nnotifications is to notify users that they will no longer be protected by the\nprivacy policies of the current site they are visiting once they navigate to\nanother website via a hyperlink.\n\n       The Department\xe2\x80\x99s Guidance for the Implementation of Office of\nManagement and Budget (OMB) Policies for Federal Agency Websites states\nthat websites should provide visitors an appropriate notification and a\ndisclaimer statement when the individual leaves a Department website via a\nnon-government link.\n\n       Occasionally, a federal VNS user will insert a hyperlink into the VNS\nthat, when pursued, will send a victim using the VIS to another website that\nhas additional information. For example, a third-party website might have\nsocial services information for victims. The VIS does not provide a\ndisclaimer notification to users when visiting these third-party websites\nthrough a hyperlink. Without a disclaimer notification, VIS users may be\nunaware that differing privacy policies are in effect.\n\nThe VNS\xe2\x80\x99s VIS Web Application Controls Testing\n\n      The testing of web application controls is designed to identify issues\nrelated to vulnerabilities and risks associated with web applications. These\nvulnerabilities often result in the loss of confidentiality, integrity, and\navailability of data.\n\n\n\n       48\n          The seven control areas of website privacy we tested were relevant content,\napproval of content, external linking, tracking mechanisms, persistent tracking mechanisms,\ndisclaimers for tracking mechanisms, and privacy policy.\n\n                                   55\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n\n\n      We utilized commercially available software tools to evaluate the VIS\xe2\x80\x99s\nweb application information security controls. 49 We identified the following\nvulnerabilities:\n\n       \xe2\x80\xa2      The VIS may allow manipulation within a web application, which\n              can exploit security issues.\n\n       \xe2\x80\xa2      The configuration of the VIS allows for the possibility that users\n              could bypass the entry of usernames and passwords of linked\n              web pages. As a result, individuals could gain access to\n              unauthorized information.\n\n       \xe2\x80\xa2      The application may be vulnerable to attacks that can allow\n              malicious users to retrieve data or alter server settings.\n\n       \xe2\x80\xa2      The VNS server configuration allowed for access to common\n              default directories. Default directories often contain\n              vulnerabilities that can be exploited over the web. Common\n              default directories are installed during initial installation and all\n              non-essential directories should be removed by the administrator\n              and essential directories should be protected by authentication.\n\n       \xe2\x80\xa2      The VNS uses JavaScript, a computer language used to create\n              interactive websites and web applications, which has certain\n              risks inherent to its use. For example, JavaScript may be able to\n              scan a network, identify all web-enabled devices, and send\n              attacks or commands to these devices.\n\n       \xe2\x80\xa2      The potential existed for unauthorized users to access web\n              server administrative interfaces. These interfaces are used by\n              the website administrator to maintain the website and are\n              usually not available to the public.\n\n       \xe2\x80\xa2      The VNS is susceptible to exploits in which an attacker uses the\n              software on a web server to access data in a directory prohibited\n              for use by the attacker. Moreover, the execution of arbitrary\n              commands and code by an attacker may be possible.\n\n       49\n           See Appendix XI for the full details and results of web application testing. The\ntest procedures were limited to the arrangements made with EOUSA, which required that\nnon-destructive testing be performed. In other words, our testing could identify that a\nvulnerability existed, but we could not attempt to exploit that vulnerability to examine the\neffect of the weakness or any possible consequence of an external exploitation of the\nweakness.\n\n\n                                    56\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n\n\n       The sensitive information contained within the VNS was not adequately\nprotected against the loss of confidentiality, integrity, and availability of\ndata. The vulnerabilities found in the VNS\xe2\x80\x99s VIS web application controls are\nsignificant because the system contains personally identifiable information\nfor federal crime victims that includes names, contact information, and some\nsocial security numbers. Therefore, EOUSA should take necessary actions to\nimprove its website security to help protect the identities of victims of\nfederal crimes.\n\nThe VNS Vulnerability Assessment\n\n       A vulnerability assessment is the systematic examination of an\ninformation system that determines the adequacy of security measures,\nidentifies security deficiencies, provides data from which to extrapolate the\neffectiveness of proposed security measures, and confirms the adequacy of\nsuch measures after implementation.\n\n      We performed a vulnerability assessment to identify the information\nsecurity controls implemented for the VNS environment. We reviewed the\nVNS\xe2\x80\x99s current information security controls to determine whether they were\nimplemented to adhere to the Department\xe2\x80\x99s standards. We identified\nvulnerabilities within the three areas described below. 50\n\n      Unnecessary or Vulnerable Service\n\n      System services can be used to operate computer servers or trigger\noperating system functions. These services can pose serious security\nthreats to the system and network if they are not secured. Further,\nunnecessary services should be disabled.\n\n      During the review of VNS information security controls, we found\nunnecessary or vulnerable services operating on the system. If not properly\nsecured or disabled, these services could be exploited to launch attacks\nagainst the VNS infrastructure. For example, the VNS file transfer protocol\n(also commonly referred to as \xe2\x80\x9cFTP\xe2\x80\x9d), designed for the transfer of files\nremotely over large distances, was identified as an older version of this\nprotocol. This version permits passing of user identification and password as\nwell as session data in plain text without encryption. Allowing log-ins and\npasswords to pass between client and server in plain text makes them\nvulnerable to session high-jacking. Therefore, this service should be\ndisabled and all transfers of files be done with encryption.\n\n\n      50\n           See Appendix X for the full details and results of the vulnerability assessment.\n\n                                     57\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n      Patch Management\n\n      Patch management is the process of controlling the deployment and\nmaintenance of interim software releases into the system\xe2\x80\x99s environment. It\nis used to maintain operational efficiency and effectiveness, overcome\nsecurity vulnerabilities, and maintain the stability of the system\xe2\x80\x99s\nenvironment.\n\n       Patches are developed by software manufacturers following the\nidentification of system security weaknesses that can be exploited. When\nsystems\xe2\x80\x99 patches are not current, the risk posed by the weaknesses the\npatches were created to address is increased.\n\n      We found that EOUSA did not always apply application and server\npatches in a timely manner. Several patches that had been available since\n2002 and 2005 had not been applied. In essence, by not applying the\npatches, EOUSA has allowed a known system vulnerability to continue to\nexist. As a result, at a minimum, the VNS is susceptible to a disruption of its\noperations. This disruption could be caused by a \xe2\x80\x9cTrojan Horse\xe2\x80\x9d - a\ndestructive program that masquerades as a benign application before it is\nexecuted. The VNS may also be vulnerable to a buffer overflow, which\noccurs when a program or process tries to store more data in a temporary\ndata storage area than it was intended to hold. This data can overflow into\nadjacent storage areas, corrupting or overwriting the valid data held in\nthem.\n\n      Network Device and Server Security\n\n      Network device and server security refers to the management of\ndevice settings and configurations implemented in order to secure the\nsystem and network infrastructure.\n\n       By not implementing security standards and best practices to protect\nagainst common vulnerabilities, the VNS may be susceptible to unauthorized\nuse, access, or data modification of system configuration and password\nfiles. Because of these vulnerabilities, VNS data that is being transmitted\nacross the system may be intercepted and redirected to a person who is not\nauthorized to receive the data. Additionally, an attacker could possibly\ninterfere with system operations and cause the system to become\ninoperable.\n\n\n\n\n                                58\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\nConclusion\n\n       We found that the sensitive information contained in the VNS may be\nsusceptible to unauthorized use, access, or data modification. We identified\ndeficiencies with EOUSA\xe2\x80\x99s implementation of systems and communications\nprotection controls, identification and authentication, website privacy, web\napplication controls, unnecessary or vulnerable system services, patch\nmanagement, and network device and server security. These deficiencies\nexist because EOUSA did not always fully develop, enforce, or formalize IT\nsecurity and privacy policies and procedures in accordance with current\nDepartment information security policies and procedures.\n\n      Because the VNS contains personally identifiable information for\nfederal crime victims such as names, contact information, and some social\nsecurity numbers, EOUSA must improve its information security practices to\nhelp ensure that the data is appropriately protected.\n\nRecommendations\n\nWe recommend that EOUSA:\n\n     13.   Perform data integrity checks and implement the encryption of\n           data files received to ensure completion and accuracy in\n           accordance with Department policy.\n\n     14.   Update the VNS system security plan to reflect complete and\n           accurate user identification and authentication security\n           information as required by Department standards.\n\n     15.   Ensure that a disclaimer notification is developed for the VIS\n           application to notify users when they are about to visit a third-\n           party website through a hyperlink.\n\n     16.   Modify the VIS application to protect against common web\n           attacks in accordance with the recommendations listed for the\n           specific vulnerabilities in Appendix XI.\n\n     17.   Terminate unnecessary or vulnerable services identified on the\n           VNS servers.\n\n     18.   Apply application and server patches in a timely manner.\n\n\n\n\n                                59\n                    REDACTED FOR PUBLIC RELEASE\n\x0c              REDACTED FOR PUBLIC RELEASE\n\n\n19.   Adequately secure network devices and server configurations in\n      accordance with the recommendations listed for the specific\n      vulnerabilities in Appendix X.\n\n\n\n\n                          60\n              REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n              STATEMENT ON INTERNAL CONTROLS\n\n      In planning and performing our audit of the DOJ Victim Notification\nSystem (VNS), we considered the Executive Office for U.S. Attorneys\xe2\x80\x99\n(EOUSA) control structure over the VNS for the purpose of determining our\naudit procedures. This evaluation was not made for the purpose of providing\nassurances on its internal control structure as a whole. However, we noted\ncertain matters involving internal controls that we consider reportable\nmatters under the Government Auditing Standards.\n\n       Reportable conditions involve matters coming to our attention relating\nto significant deficiencies in the design or operations of the internal control\nstructure that, in our judgment, could adversely affect EOUSA\xe2\x80\x99s ability to\neffectively oversee the VNS. We identified weaknesses in: (1) the\nmanagement of the VNS, (2) the effectiveness of the VNS, and (3) the\ninformation security of the VNS. We discussed these issues in the Findings\nand Recommendations section of the report. Because we are not expressing\nan opinion on EOUSA\xe2\x80\x99s internal control structure as a whole, this statement\nis intended for the information and use of EOUSA\xe2\x80\x99s management of the VNS.\n\n\n\n\n                                61\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n\n\n               STATEMENT ON COMPLIANCE WITH\n                   LAWS AND REGULATIONS\n\n      In connection with this audit of DOJ\xe2\x80\x99s Victim Notification System, as\nrequired by Government Auditing Standards, we reviewed management\nprocesses and records to obtain reasonable assurance about DOJ\xe2\x80\x99s\ncompliance with laws and regulations that, if not complied with, in our\njudgment, could have a material effect on the VNS. Compliance with the\nlaws and regulations applicable to EOUSA\xe2\x80\x99s management of the VNS is the\nresponsibility of EOUSA.\n\n      Our audit included examining, on a test basis, evidence about laws and\nregulations. The specific laws and regulations are contained in the relevant\nportions of the:\n\n     \xe2\x80\xa2     Victim and Witness Protection Act of 1982, Pub. L. No. 97-291;\n\n     \xe2\x80\xa2     Victims of Crime Act of 1984, Pub. L. No. 98-473, the Victims\n           Compensation and Assistance Act, 42 U.S.C. \xc2\xa7 10601 (2006),\n           and Services to Victims 42 U.S.C. \xc2\xa7 10607 (2007);\n\n     \xe2\x80\xa2     Victims\xe2\x80\x99 Rights and Restitution Act of 1990, 42 U.S.C. \xc2\xa7 10606\n           (2004);\n\n     \xe2\x80\xa2     Violent Crime Control and Law Enforcement Act of 1994, 42\n           U.S.C. \xc2\xa7 14222 (1994);\n\n     \xe2\x80\xa2     Antiterrorism and Effective Death Penalty Act of 1996, Pub. L.\n           No. 104 - 132;\n\n     \xe2\x80\xa2     Victim Rights Clarification Act of 1997, 18.U.S.C. \xc2\xa7 3510 (1997);\n\n     \xe2\x80\xa2     Victims of Trafficking and Violence Protection Act of 2000, Pub.\n           L. No. 106 \xe2\x80\x93 386; and\n\n     \xe2\x80\xa2     Justice for All Act of 2004, Public Law 108-405.\n\n      Our audit did not identify areas where EOUSA was not in compliance\nwith the laws and regulations referred to above. With respect to areas that\nwere not tested, nothing came to our attention that caused us to believe\nthat EOUSA management was not in compliance with the laws and\nregulations cited above.\n\n\n\n                                62\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n                                                                   APPENDIX I\n           OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\n      The objectives of this audit were to determine if:\n\n      (1) EOUSA has effectively managed the VNS, including overseeing the\ncontractors, ensuring the accuracy of data in the system, and planning for\nthe future;\n\n      (2) The VNS is an effective tool for victims of crime; and\n\n     (3) The VNS was properly secured to prevent unauthorized use,\naccess, and data modification.\n\nScope and Methodology\n\n      To accomplish our audit objectives, we conducted more than\n50 interviews with agencies that are directly involved with the VNS, including\nheadquarters officials from EOUSA, the DOJ Criminal Division, the FBI, the\nBOP, the USPIS, and the OVC. We also spoke with headquarters officials\nfrom those agencies that do not directly participate in the VNS, such as the\nBureau of Alcohol, Tobacco, Firearms, and Explosives (ATF); the Drug\nEnforcement Administration (DEA); the U.S. Marshals Service (USMS); the\nAdministrative Office of the U.S. Courts (AOUSC); the Bureau of Immigration\nand Customs Enforcement (ICE); and the U.S. Secret Service (USSS) to\ndetermine their knowledge of the VNS and whether they had been contacted\nabout participating in the VNS. Additionally, we interviewed the contractor\n(AT&T Government Solutions) who manages the system, as well as the sub-\ncontractor (Appriss) who manages the Call Center/Help Desk and back-up\nservers. We also reviewed internal documents, such as planning materials,\ncontracts, manuals, internal directives and policies, and financial reports\nfrom EOUSA, the DOJ Criminal Division, the FBI, the BOP, the USPIS, and\nthe OVC. Moreover, we obtained and analyzed empirical data from the VNS\nand used this information to develop descriptive statistics on the number\nand types of victims in the system.\n\n       We conducted fieldwork in Chicago and Lisle, Illinois; Lexington and\nLouisville, Kentucky; Kansas City and Leavenworth, Kansas; and Kansas\nCity, Missouri, where we interviewed field personnel. Specifically, at these\nlocations we spoke with senior management and staff who utilized the VNS\nat the local USAO, BOP, and FBI offices, and reviewed reports and files\napplicable to our review. In general, the scope of our audit covered the\nperiod of FYs 1998 through 2007.\n\n                                63\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n                                                                            APPENDIX I\n       Related to our first objective, we performed a limited review of the\nservices provided by the contractor and sub-contractor \xe2\x80\x93 including Call\nCenter operations, discussed the entry of information into the VNS with\nfederal VNS users, reviewed data in the VNS and spoke with federal VNS\nusers to determine if information in the system was accurate, and\ninterviewed non-participating agencies to determine if outreach was\nperformed and if the agencies were interested in participating in the VNS.\nTo determine if the VNS is an effective tool for victims, we designed and\ndeployed two surveys: (1) one to victims who were active in the system,\nand (2) another to victims who were no longer active in the system. 51 We\nselected stratified, statistical samples of victims, to which we sent the\nsurveys. 52 We also reviewed other surveys conducted by EOUSA and the\nBOP, and conducted our own testing of the VNS website through use of a\ntest victim account.\n\n      To accomplish our third objective, we utilized a private auditing firm,\nwith experience in conducting IT audits, to perform an information security\nreview of the VNS. Specifically, the OIG engaged Urbach, Kahn, & Werlin,\nLLP (UKW) to conduct an independent assessment to determine whether\nVNS information security and privacy policies comply with government\nstandards and established best practices. To identify whether the VNS\ncomplied with DOJ and federal privacy and information security policies,\nUKW performed interviews, on-site observations, and reviews of information\nsecurity-related documents.\n\nPrior Reviews\n\n       The OIG has not performed any prior reviews of DOJ\xe2\x80\x99s Victim\nNotification System. In July 2003, the Government Accountability Office\n(GAO) reviewed whether EOUSA had institutionalized key information\ntechnology (IT) management capabilities that are critical to achieving DOJ\xe2\x80\x99s\nstrategic goal of improving the integrity, security, and efficiency of its\nIT systems. The report identified the VNS as one of EOUSA\xe2\x80\x99s systems. The\nGAO report recommended EOUSA: (1) designate institutionalization of each\nof the IT management disciplines as priorities, and (2) develop and\nimplement action plans in each of the four IT disciplines to address the\nweaknesses that were identified in its report. EOUSA agreed with the\nmajority of the GAO\xe2\x80\x99s findings and recommendations and stated that it\nwould address most of the recommendations. EOUSA also stated that it has\n\n       51\n            Copies of both of our surveys can be found in Appendices V and VI.\n       52\n         Due to the technical nature of the work, details of the surveys\xe2\x80\x99 complete scope\nand methodology can be found in Appendices VII and VIII.\n\n\n                                     64\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n                                                               APPENDIX I\nmade notable progress in institutionalizing the IT management disciplines,\nparticularly information security, and that each was an office priority.\n\n\n\n\n                                65\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n                                                                 APPENDIX II\n\n       LAWS, REGULATIONS, AND MANDATES ENACTED\n                 FOR VICTIMS OF CRIME\n\nVictim and Witness Protection Act of 1982\n\n       The VWPA was enacted to: (1) enhance and protect the necessary\nrole of crime victims and witnesses in the criminal justice process,\n(2) ensure that the federal government does all that is possible within limits\nof available resources to assist victims and witnesses of crime without\ninfringing on the constitutional rights of defendants, and (3) provide a model\nfor legislation for state and local governments.\n\nVictims of Crime Act of 1984, the Victims Compensation and\nAssistance Act, and Services to Victims\n\n       The Victims of Crime Act of 1984 (VOCA), established the Crime\nVictims Fund (Fund). The Fund consists of: (1) most fines collected from\npersons convicted of offenses against the United States; (2) penalty\nassessments collected under section 3013 of Title 18; (3) proceeds of\nforfeitures (appearance bonds, bail bonds, and collateral) under section\n3146 of Title 18; (4) any money ordered to be paid into the Fund under\nsection 3671 (c)(2) of Title 18; and (5) authorized gifts, bequests, or\ndonations to the Fund from private entities or individuals. The money from\nthis fund was initially to be used for state and local programs for victims of\ncrime. Amended in 1988, the VOCA also legislatively created the Office for\nVictims of Crime (OVC) within the Office of Justice Programs (OJP). The\nVOCA was reauthorized and amended in 2005.\n\n       In the first session of the 105th Congress, the Fund received a\n$21 million repayment. Congress authorized these dollars for hiring\nvictim/witness coordinators in the U.S. Attorney\xe2\x80\x99s offices; establishing an\nautomated victim information and notification system for federal cases; and\ncollecting, enforcing, and processing restitution orders.\n\n\n\n\n                                 66\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n                                                                            APPENDIX II\n\n       The VOCA also requires responsible officials to identify victims. 53 At\nthe earliest opportunity after the detection of a crime at which it may be\ndone without interfering with an investigation, a responsible official shall:\n(1) identify the victim or victims of a crime; (2) inform the victims of their\nright to receive services (described below) on request; and (3) inform each\nvictim of the name, title, and business address and telephone number of the\nresponsible official to whom the victim should address a request for each of\nthe services. Description of services provided under the VOCA are:\n\n(1)    A responsible official shall inform a victim: (A) of the place where the\n       victim may receive emergency medical and social services; (B) of any\n       restitution or other relief to which the victim may be entitled under\n       this or any other law and in a manner in which such relief may be\n       obtained; (C) of public and private programs that are available to\n       provide counseling, treatment, and other support to the victim; and\n       (D) of assistance in contacting the persons who are responsible for\n       providing the services and relief.\n\n(2)    A responsible official shall arrange for a victim to receive reasonable\n       protection from a suspected offender and persons acting in concert\n       with or at the behest of the suspected offender.\n\n(3)    During the investigation and prosecution of a crime, a responsible\n       official shall provide a victim the earliest possible notice of: (A) the\n       status of the investigation of the crime, to the extent it is appropriate\n       to inform the victim and to the extent that it will not interfere with the\n       investigation; (B) the arrest of a suspected offender; (C) the filing of\n       charges against a suspected offender; (D) the scheduling of each court\n       proceeding that the witness is either required to attend or, under\n       section 10606 (b)(4) of this title, is entitled to attend; (E) the release\n       or detention status of an offender or suspected offender; (F) the\n       acceptance of a plea of guilty or nolo contendere or the rendering of a\n       verdict after trial; and (G) the sentence imposed on an offender,\n       including the date on which the offender will be eligible for parole.\n\n\n\n       53\n            The term \xe2\x80\x9cvictim\xe2\x80\x9d means a person that has suffered direct physical, emotional, or\npecuniary harm as a result of the commission of a crime. This includes an institutional\nentity where there is an authorized representative for the entity. And, in cases where a\nvictim is under 18 years of age, incompetent, incapacitated or deceased, there is another\npreferred person designated on the victim\xe2\x80\x99s behalf (e.g., spouse, legal guardian, parent, a\nchild, a sibling, another family member or another person designated by the court).\n42 U.S.C. \xc2\xa7 10607 (2007).\n\n\n                                    67\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n                                                                 APPENDIX II\n\n(4)   During court proceedings, a responsible official shall ensure that a\n      victim is provided a waiting area removed from and out of the sight\n      and hearing of the defendant and defense witnesses.\n\n(5)   After trial, a responsible official shall provide a victim the earliest\n      possible notice of: (A) the scheduling of a parole hearing for the\n      offender; (B) the escape, work release, furlough, or any other form of\n      release from custody of the offender; and (C) the death of the\n      offender, if the offender dies while in custody.\n\n(6)   At all times, a responsible official shall ensure that any property of a\n      victim that is being held for evidentiary purposes be maintained in\n      good condition and returned to the victim as soon as it is no longer\n      needed for evidentiary purposes.\n\n(7)   The Attorney General or the head of another department or agency\n      that conducts an investigation of a sexual assault shall pay, either\n      directly or by reimbursement of payment by the victim, the cost of a\n      physical examination of the victim, which an investigating officer\n      determines was necessary or useful for evidentiary purposes.\n\n(8)   A responsible official shall provide the victim with general information\n      regarding the corrections process, including information about work\n      release, furlough, probation, and eligibility for each.\n\nVictims\xe2\x80\x99 Rights and Restitution Act of 1990\n\n       The Crime Control Act of 1990 further directed responsible government\nofficials to provide victims with general information regarding the corrections\nprocess, including information about work release, furlough, and probation.\nTitle IV of the Victims Rights and Restitution Act of 1990 requires all federal\nlaw enforcement agencies to make their best efforts to accord victims of\ncrime with the right to: (1) be treated with fairness and respect for the\nvictim\'s dignity and privacy; (2) be protected against their accused\noffenders; (3) be notified of court proceedings; (4) attend public court\nproceedings related to the offense under certain conditions; (5) confer with\nthe government attorney assigned to the case; (6) receive restitution; and\n(7) receive information about the conviction, sentencing, imprisonment, and\nrelease of the offender. The Act also directs federal law enforcement agency\nheads to designate the persons required by this Act to identify and provide\ncertain services to the victims of a crime, such as informing victims about\nwhere to receive medical care, counseling, and police protection, and about\ndevelopments during the investigation and prosecution of the crime and\n\n                                 68\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n                                                                 APPENDIX II\n\nafter the trial (such as the arrest of a suspected offender or an escape of a\nconvicted offender). It also directs that a responsible official provide the\nvictim with general information regarding the corrections process, including\ninformation about work release, furlough, and probation. This Act was\nrepealed in 2004 and replaced with the Justice for All Act of 2004.\n\nViolent Crime Control and Law Enforcement Act of 1994\n\n       The Violent Crime Control and Law Enforcement Act of 1994 mandated\nthat: (1) law should provide for a victim\'s right of allocation at a sentencing\nhearing and at any parole hearing if the offender has been convicted of a\ncrime of violence or sexual abuse; (2) such a victim should have an\nopportunity equivalent to that accorded to the offender\'s counsel to address\nthe sentencing court or parole board and to present information in relation\nto that sentence imposed or to the early release of the offender; and (3) if\nthe victim is unable or chooses not to testify at a sentencing or parole\nhearing, the victim\'s parents, legal guardian, or family members should have\nthe right to address the court or board. It also established mandatory\nrestitution for victims of four categories of crime: (1) domestic violence,\n(2) sexual assault, (3) the exploitation and abuse of children, and\n(4) telemarketing fraud.\n\nAntiterrorism and Effective Death Penalty Act of 1996\n\n      The Antiterrorism and Effective Death Penalty Act of 1996 expanded\nmandatory restitution to virtually all crimes committed in violation of Title 18\nof the United States Code.\n\nVictim Rights Clarification Act of 1997\n\n       The Victims Rights Clarification Act of 1997 gives victims the right to\nattend a trial even though they may testify during the sentencing portion of\nthe trial.\n\nThe Victims of Trafficking and Violence Protection Act of 2000\n\n     The Victims of Trafficking and Violence Protection Act of 2000 protects\nimmigrant victims of domestic violence, human trafficking, and other crimes\nfrom deportation in certain cases.\n\n\n\n\n                                 69\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n                                                                               APPENDIX II\n\nThe Justice for All Act of 2004\n\n      The 2004 Justice for All Act expanded and recodified the victims\xe2\x80\x99 bill of\nrights and gave victims standing to enforce those rights. 54 The JFAA\nupdated victims\' rights to include: (1) the right to be reasonably protected\nfrom the accused; (2) the right to reasonable, accurate, and timely notice of\nany public court proceeding, or any parole proceeding, involving the crime or\nof any release or escape of the accused; (3) the right not to be excluded\nfrom any such public court proceeding, unless the court, after receiving clear\nand convincing evidence, determines that testimony by the victim would be\nmaterially altered if the victim heard other testimony at that proceeding;\n(4) the right to be reasonably heard at any public proceeding in the district\ncourt involving release, plea, sentencing, or any parole proceeding; (5) the\nreasonable right to confer with the attorney for the government in the case;\n(6) the right to full and timely restitution as provided in law; (7) the right to\nproceedings free from unreasonable delay; and (8) the right to be treated\nwith fairness and with respect for the victim\'s dignity and privacy.\n\n       The JFAA also created the following requirements for government\nagencies\xe2\x80\x99 best efforts to accord victims\' rights: (1) government officers and\nemployees of DOJ and other departments and agencies of the United States\nengaged in the detection, investigation, or prosecution of crime shall make\ntheir best efforts to see that crime victims are notified of, and accorded, the\nrights; (2) the prosecutor shall advise the crime victim that he or she can\nseek the advice of an attorney with respect to the rights; and (3) notice of\nrelease otherwise required pursuant to this chapter shall not be given if such\nnotice may endanger the safety of any person.\n\n     The JFAA authorized appropriation funding through VOCA for\nenhancement of the VNS from 2006-2009.\n\nThe Attorney General Guidelines for Victim Witness Assistance\n(1995, 2000 and 2005)\n\n      The purpose of the AG Guidelines was to establish guidelines to be\nfollowed by officers and employees of DOJ investigative, prosecutorial, and\ncorrectional agencies in the treatment of victims and witnesses to crime.\n\n     In the VWPA, Congress instructed the Attorney General to develop and\nimplement guidelines for DOJ consistent with the purposes of the Act.\nCongress set forth the objectives of the guidelines, which include the\n       54\n           The list of rights, commonly referred to as the \xe2\x80\x9cvictims\xe2\x80\x99 bill of rights\xe2\x80\x9d is now\ncodified at 18 U.S.C. \xc2\xa7 3771 (2004).\n\n                                     70\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n                                                               APPENDIX II\n\nprovision of services to victims; notification about protection, services, and\nmajor case events; consultation with the government attorney; a separate\nwaiting area at court; the return of property; notification of employers; and\ntraining for law enforcement and others. Congress also instructed the\nAttorney General to assure that all federal law enforcement agencies outside\nof DOJ adopt guidelines consistent with the purposes of the VWPA.\n\n       In conformance with the congressional directive, the Attorney General\npromulgated the AG Guidelines, which have been revised to incorporate new\nlegislative provisions. In 2000, the AG Guidelines were revised to include\nthe Violent Crime Control and Law Enforcement Act of 1994; the\nAntiterrorism and Effective Death Penalty Act of 1996; and the Clarification\nAct of 1997. In 2005, the AG Guidelines were revised to include the Victims\nof Trafficking and Violence Protection Act of 2000 and the Justice for All Act\nof 2004.\n\n\n\n\n                                71\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n                                                              APPENDIX III\n\n                          FUNDING THE VNS\n\n      The Victims Compensation and Assistance Act (Pub. L. No. 98-473), as\namended through the 1984 Victims of Crime Act (VOCA), 42 U.S.C.\xc2\xa7 10601\n(2006), established a monetary account known as the Crime Victims Fund\n(Fund). It contains money derived not from tax dollars, but from fines and\npenalties that federal criminal offenders must pay as part of their sentences.\nThe largest source of deposits in the Fund comes from criminal fines.\n\n      The VOCA established the Office for Victims of Crime (OVC) within\nDOJ\xe2\x80\x99s Office of Justice Programs (OJP). It authorized the Director of the\nOVC to administer funding to state and federal agencies for their victim\nassistance and compensation programs through the Fund.\n\n       In 1997, the OVC allocated $8 million to support the development of\nan automated victim information and notification system for the federal\njustice system. That same year, $21 million was returned to the Fund and\nmade available to the OVC to improve services to crime victims in the\nfederal criminal justice system. Congress authorized the establishment of an\nautomated victim information and notification system for federal cases\nthrough this funding.\n\n      The OVC and EOUSA entered into an Inter-Agency Agreement in\nJune 1998 whereby funds were made available through the Fund for the\nestablishment of an automated notification system and to pay for an\nassessment analysis. EOUSA spearheaded the project, with the assistance\nfrom a working group comprised of representatives from the FBI, the OVC,\nand the BOP.\n\n        The VNS working group hired an outside consulting agency to analyze\neach component\xe2\x80\x99s requirements for an automated system, review current\navailable systems that might be expanded to meet the specific needs of the\ninitiative, and develop the system. The analysis was completed\nJanuary 1999 and the system was deployed in 2001.\n\n      The cost of the notification system was estimated to be $8 million and\nby FY 2000 that amount was transferred from the OVC to EOUSA in\nreimbursable agreements. Specifically, $559,121 was transferred to EOUSA\nin FY 1998 for requirement analysis; $193,764 was added to VNS\nfunding for salary, benefit, and travel costs for the VNS Program Manager in\nFY 1999; and approximately $7.2 million was added for the deployment of\nthe system in FY 2000. The expected outcome of this system was to\ndevelop an automated victims\xe2\x80\x99 information database and a means to provide\n\n                                72\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n                                                                APPENDIX III\n\ntimely victim notification of the current status of offenders in the federal\ncriminal justice system.\n\n      The Justice for All Act of 2004 (Pub. L. No. 108-405) authorized\nappropriations of $2 million for FY 2005 and $5 million in each fiscal year\nfrom 2006 through 2009 to the OVC for enhancement of the VNS. Review of\nthe Reimbursable Agreements between the OVC and EOUSA indicate the\nactual funding approved each year starting in FY 1998, as displayed in the\nfollowing table.\n\n\n                  Reimbursable Agreements between\n                     the OVC and EOUSA for the VNS\n                  Fiscal Year                  Amount\n                         1998                 $559,122\n                         1999                 $193,765\n                         2000               $7,199,096\n                         2001                       $0\n                         2002               $5,000,000\n                         2003               $5,141,843\n                         2004               $5,141,843\n                         2005               $4,960,000\n                         2006               $5,334,928\n                         2007               $5,000,000\n                        Total             $38,530,597\n               Source: EOUSA Reimbursable Agreements\n\n\n\n\n                                 73\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                   REDACTED FOR PUBLIC RELEASE\n                                                              APPENDIX IV\n\n                    TYPES OF NOTIFICATIONS\n\n         NOTIFICATION EVENT                        DESCRIPTION\n                                 FBI/USPIS\n                                      Initial registrant notification from an\n1    Initial (Investigative Agency)\n                                      investigative agency\n2    Under Investigation              Case is under investigation\n3    Arrest                           An anonymous arrest has been made\n4    Declination of Prosecution       Declination of prosecution\n                                      Other notification from an\n5    Other (Investigative Agency)\n                                      Investigative agency\n     Advice of Victim Rights          Advice of victim rights for an\n6\n     (Investigative)                  investigative case\n7    Investigation Closed             Case not prosecuted\n                         USAO/CRIMINAL DIVISION\n                                      Advice of victim rights for a USAO\n8    Advice of Victim Rights (USAO)\n                                      case\n9    Appeal                           Appeal\n                                      The outcome of an appeal by a\n10   Appeal Outcome\n                                      subject\n11   Arraignment                      Arraignment hearing\n12   Arraignment Canceled             Arraignment hearing canceled\n                                      An arrest has been made on a\n13   Arrest (USAO)\n                                      particular subject\n14   Bail/Detention Hearing           Bail or detention hearing\n     Bail/Detention Hearing\n15                                    Bail or detention hearing canceled\n     Canceled\n                                      Registrant accepted into CCTV\n16   CCTV Accepted\n                                      program\n17   CCTV Initial                     Initial CCTV notification\n18   CCTV Other                       Other CCTV notification\n                                      Registrant rejected from CCTV\n19   CCTV Rejected\n                                      program\n20   CCTV Scheduled                   CCTV event scheduled\n                                      The subject has changed his / her\n21   Change of Plea\n                                      plea\n22   Change of Plea Canceled          Change of plea canceled\n23   Charges Dismissed                Dismissal of charges\n     Charges Filed (includes Victim   Charges filed against a subject on a\n24\n     Rights)                          docket\n                                      A hearing to determine the\n25   Competency Hearing\n                                      competency of the defendant\n\n                               74\n                   REDACTED FOR PUBLIC RELEASE\n\x0c                      REDACTED FOR PUBLIC RELEASE\n                                                             APPENDIX IV\n\n        NOTIFICATION EVENT                       DESCRIPTION\n26   Competency Hearing Canceled      Competency hearing canceled\n27   Criminal Default Hearing         Collection Hearing 4\n     Criminal Default Hearing\n28                                    Collection Hearing 4 canceled\n     Canceled\n29   Death during Trial               Death during trial\n                                      Outcome of sentencing for a juvenile\n30   Delinquent/Sentencing\n                                      subject\n31   Directed Verdict                 Directed verdict\n32   First Appearance                 First (or initial) appearance\n33   First Appearance Canceled        First appearance canceled\n34   Guilty Plea                      Guilty plea\n                                      The trial has ended due to a hung\n35   Hung Jury\n                                      jury\n                                      Initial registrant notification from\n36   Initial (USAO)\n                                      USAO\n                                      Form returned by victim for juvenile\n37   Juvenile Form\n                                      subject\n                                      A hearing for status of defendants\n38   Mental Treatment Hearing\n                                      found not guilty by reason of insanity\n     Mental Treatment Hearing\n39                                    Mental treatment hearing canceled\n     Canceled\n40   Mistrial                         The trial has ended due to a mistrial\n                                      A hearing to consider an appeal filed\n41   Oral Argument Appeal Hearing\n                                      in the criminal case.\n     Oral Argument Appeal Hearing     Oral argument appeal hearing\n42\n     Canceled                         canceled\n43   Other Hearing                    Other hearing\n44   Other (USAO)                     Other notification from USAO\n45   Other Canceled                   Other hearing canceled\n46   Plea of Nolo Contendere          Plea of Nolo Contendere\n                                      A hearing after plea / verdict before\n47   Post Trial Hearing               sentencing to cover any issues other\n                                      than sentencing\n48   Post Trial Hearing Canceled      Post trial hearing canceled\n49   Preliminary Hearing              Preliminary hearing\n50   Preliminary Hearing Canceled     Preliminary hearing canceled\n                                      A hearing to cover pre-sentencing\n51   Pre-Sentence Hearing\n                                      issues\n52   Pre-Sentence Hearing Canceled    Pre-sentence hearing canceled\n     Pretrial Diversion - Dismissal   Subject successfully completed\n53\n     for                              pretrial diversion program\n\n                                  75\n                      REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n                                                            APPENDIX IV\n\n        NOTIFICATION EVENT                      DESCRIPTION\n                                     Subject entered pretrial diversion\n54   Pretrial Diversion - Enter\n                                     program\n55   Pretrial Motions Hearing        A hearing to consider pretrial motions\n     Pretrial Motions Hearing\n56                                   Pretrial motions hearing canceled\n     Canceled\n                                     Charges against a subject have been\n57   Proposed Dismissal of Charges\n                                     proposed dismissed\n                                     Proposed plea agreement for a\n58   Proposed Plea Agreement\n                                     defendant\n59   Release                         General release\n60   Re-sentencing Hearing           Re-sentencing hearing\n     Re-sentencing Hearing\n61                                   Re-sentencing hearing canceled\n     Canceled\n62   Restitution                     A victim has been awarded restitution\n63   Restitution Discovery Hearing   Collection Hearing 2\n     Restitution Discovery Hearing\n64                                   Collection Hearing 2 canceled\n     Canceled\n     Restitution Enforcement\n65                                   Collection Hearing 1\n     Hearing\n     Restitution Enforcement\n66                                   Collection Hearing 1 canceled\n     Hearing Canceled\n     Restitution Payment Schedule\n67                                   Collection Hearing 3\n     Hearing\n     Restitution Payment Schedule\n68                                   Collection Hearing 3 canceled\n     Hearing Canceled\n     Restitution Re-sentencing\n69                                   Collection Hearing 5\n     Hearing\n     Restitution Re-sentencing\n70                                   Collection Hearing 5 canceled\n     Hearing Canceled\n     Revoke/Modify Probation         A hearing to revoke or modify the\n71\n     Hearing                         conditions of probation.\n     Revoke/Modify Probation         Revoke or modify probation hearing\n72\n     Hearing Canceled                canceled\n                                     A hearing to revoke or modify\n     Revoke/Modify Supervised\n73                                   supervised release as a result of\n     Release Hearing\n                                     violations of release.\n     Revoke/Modify Supervised        Revoke or modify supervised release\n74\n     Release Hearing Canceled        hearing canceled\n                                     Case is being transferred to another\n75   Rule 20 Transfer Notice\n                                     district\n\n\n\n                                76\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n                                                                APPENDIX IV\n\n        NOTIFICATION EVENT                          DESCRIPTION\n     Rule 35 Sentence Reduction         A hearing to reduce the defendant\xe2\x80\x99s\n76\n     Hearing                            sentence\n     Rule 35 Sentence Reduction         Rule 35 sentence reduction hearing\n77\n     Hearing Canceled                   canceled\n78   Sentencing                         Sentencing hearing\n79   Sentencing Canceled                Sentencing hearing canceled\n80   Sentencing Outcome                 Outcome of sentencing hearing\n                                        A hearing to determine the current\n81   Status Hearing\n                                        status of the case\n82   Status Hearing Canceled            Status hearing canceled\n83   Subject Detained                   A subject has been detained\n     Suppress Evidence/Return           A hearing to suppress evidence or\n84\n     Property Hearing                   return seized property\n     Suppress Evidence/Return           Suppress evidence or return seized\n85\n     Property Hearing Canceled          property hearing canceled\n86   Trial (Bench) Verdict (Guilty)     Bench trial verdict (guilty)\n     Trial (Bench) Verdict (Not\n87                                      Bench trial verdict (not guilty)\n     Guilty)\n88   Trial Date                         Trial date\n89   Trial Date Canceled                Trial date canceled\n     Pretrial Diversion -               Subject was unsuccessful in the\n90\n     Unsuccessful                       Pretrial Diversion program\n                                        Delinquent verdict for juvenile\n91   Verdict (Delinquent)\n                                        subject\n92   Verdict (Guilty)                   Guilty verdict\n                                        Not delinquent verdict for juvenile\n93   Verdict (Not Delinquent)\n                                        subject\n94   Verdict (Not Guilty)               Not guilty verdict\n     Verdict Not Guilty Reason of\n95                                      Verdict reason of insanity (court)\n     Insanity (Court)\n     Verdict Not Guilty Reason of\n96                                      Verdict reason of insanity (jury)\n     Insanity (Jury)\n                                        Request for comments on subject\'s\n97   Victim Impact Statement\n                                        impact to victim\n                                      BOP\n98   Initial Designation                Initial designation\n                                        Escape while incarcerated in a BOP\n99   Escape while Incarcerated\n                                        facility\n100 Release to Halfway House            Release to halfway house\n101 Parole Hearing                      Parole hearing\n102 Release to Street                   Release to street from BOP\n\n                                77\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n                                                              APPENDIX IV\n\n         NOTIFICATION EVENT                         DESCRIPTION\n                                       Transferred/re-designated to another\n103 Re-designation\n                                       BOP location\n104 Release on Furlough                Release on furlough\n                                       Released to street from BOP before\n105 Pre-sentenced to Street\n                                       release date\n106 Death                              Death of inmate while in BOP\n                                       Initial registrant notification from\n107 Initial (BOP)\n                                       BOP\n108   Other (BOP)                      Other notification from BOP\n109   Apprehension After Escape        Inmate apprehended after escaping\n110   Parole Hearing Record Review     Inmate parole hearing record review\n111   Sentence Reduction               Inmate sentence reduction\n                                       Court dismissed charges on its own\n112 Court Dismissed Case\n                                       initiative\n                                       Inmate considered for compassionate\n113 Compassionate Release\n                                       release\n                                       Inmate sentenced to state prison\n114 State Concurrency (Victim)\n                                       term\n                                       Inmate sentenced to state prison\n115 State Concurrency (State)\n                                       term\n116 U.S. Military Clemency Hearing     U.S. military clemency hearing\n                                       Subject has violated supervised\n117 Supervised Release Violator\n                                       release\n118 Immediate Release to Street        Release inmate to street immediately\n    Conditional Release (Mental\n119                                    Conditional release (mental health)\n    Health)\n                                     ALL\n                                       Victim opted-out after federal\n120 No Longer a Victim                 government determined legal\n                                       definition of victim not met\n\n\n\n\n                                78\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                          REDACTED FOR PUBLIC RELEASE\n                                                                                APPENDIX V\n\n                  OFFICE OF THE INSPECTOR GENERAL\n                           OPT-IN SURVEY\n\nGENERAL INFORMATION\n\nThe Department of Justice developed the Victim Notification System (VNS) to provide important\ninformation to victims. Our records indicate that you are or were a victim of a federal crime (or\nan alternate contact for a victim) and that you are currently participating in the VNS. Please\ntake a few moments to answer the questions that apply to your situation. Your responses will\nhelp improve the VNS.\n\n1.     Did you receive an Initial Notification Letter from a federal agency informing you about\n       the Victim Notification System? This letter included your registrant identification and\n       pin numbers.\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85       Yes\n       \xc2\x85       No\n       \xc2\x85       I do not recall\n\n\n2.     When was the last time you received a notification or when did you last access the VNS\n       website?\n       [Fill in or check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85\n                        (month/year)\n       \xc2\x85       I do not recall.\n       \xc2\x85       I have not received any notification from the VNS.\n\n\n3.     Please indicate all forms of communication you receive regarding the Victim Notification\n       System: [Check (\xe2\x88\x9a) all that apply.]\n\n       \xc2\x85       E-mail\n       \xc2\x85       Fax\n       \xc2\x85       Letter (U.S. Mail)\n       \xc2\x85       Pager\n       \xc2\x85       Telephone\n       \xc2\x85       TDD (hearing impaired)\n       \xc2\x85       Website\n       \xc2\x85       None\n\n\n\n\n                                      79\n                          REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n                                                                                 APPENDIX V\n\n4.     Which language did you request for your notifications?\n\n       \xc2\x85       English\n       \xc2\x85       Spanish\n       \xc2\x85       Other\n       \xc2\x85       Did not specify language\n\n\n       4a.     Did you receive your notifications in the language you requested?\n\n               \xc2\x85      Yes\n               \xc2\x85      No\n\n\nCUSTODY STATUS AND RESTITUTION\n\nThe Victims of Crime Act and Justice for All Act include the rights to be reasonably protected\nfrom the accused and to full and timely restitution as provided by the law.\n\n5.     How important is it for you to know the custody status (incarcerated or not incarcerated)\n       of the defendant(s)/inmate(s) in your case? [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85       Extremely important\n       \xc2\x85       Very important\n       \xc2\x85       Important\n       \xc2\x85       Not important\n       \xc2\x85       Not important at all (Go to Question #8.)\n\n\n6.     Are you currently aware of the custody status of the defendant(s)/inmate(s) in your case\n       (out on bail, detained, escaped, died, case dismissed, released, etc.)? [Check (\xe2\x88\x9a) one that\n       applies.]\n\n       \xc2\x85       Yes\n       \xc2\x85       No\n\n\n7.     Do you know how to find the custody status of the defendant(s)/inmate(s) in your case?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85       Yes\n       \xc2\x85       No (Go to Question #8.)\n\n\n\n\n                                     80\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n                                                                                APPENDIX V\n\n     7a.    If yes, have you called any of the following entities regarding custody status of\n            the defendant(s)/inmate(s) in your case? [Check (\xe2\x88\x9a) all that apply.]\n\n            \xc2\x85       Investigative Agency (FBI/USPIS)\n            \xc2\x85       U.S. Attorneys Office\n            \xc2\x85       VNS Call Center\n            \xc2\x85       Other\n            \xc2\x85       I have not called any of the above entities\n\n\n     7b.    How satisfied were you with the assistance you received regarding custody status\n            of the defendant(s)/inmate(s) in your case? [Check (\xe2\x88\x9a) one that applies.]\n\n            \xc2\x85       Extremely satisfied\n            \xc2\x85       Very satisfied\n            \xc2\x85       Satisfied\n            \xc2\x85       Dissatisfied\n            \xc2\x85       Very dissatisfied\n            \xc2\x85       Extremely dissatisfied \xe2\x80\x93 if dissatisfied, please explain why in the space\n                    below.\n\n\n8.   Are you a victim of a crime that involves restitution? [Check (\xe2\x88\x9a) one that applies.]\n\n     \xc2\x85      Yes\n     \xc2\x85      No (Go to Question #10.)\n\n\n     8a.      If yes, have you called any of the following entities for assistance regarding\n     restitution?\n              [Check (\xe2\x88\x9a) all that apply.]\n\n            \xc2\x85       Investigative Agency (FBI/USPIS)\n            \xc2\x85       U.S. Attorneys Office\n            \xc2\x85       VNS Call Center\n            \xc2\x85       Other\n            \xc2\x85       I have not called any of the above entities.\n\n\n\n\n                                   81\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n                                                                                APPENDIX V\n\n     8b.    How satisfied were you with the assistance you received regarding restitution?\n            [Check (\xe2\x88\x9a) one that applies.]\n\n            \xc2\x85        Extremely satisfied\n            \xc2\x85        Very satisfied\n            \xc2\x85        Satisfied\n            \xc2\x85        Dissatisfied\n            \xc2\x85        Very dissatisfied\n            \xc2\x85        Extremely dissatisfied \xe2\x80\x93 if dissatisfied, please explain why in the space\n            below.\n\n\n9.   Have you accessed the VNS website for information regarding restitution?\n     [Check (\xe2\x88\x9a) one that applies.]\n\n     \xc2\x85      Yes\n     \xc2\x85      No\n     \xc2\x85      Do Not Recall\n\n\n     9a.    If yes, how satisfied were you with the restitution information you received?\n\n            \xc2\x85        Extremely satisfied\n            \xc2\x85        Very satisfied\n            \xc2\x85        Satisfied\n            \xc2\x85        Dissatisfied\n            \xc2\x85        Very dissatisfied\n            \xc2\x85        Extremely dissatisfied \xe2\x80\x93 if dissatisfied, please explain why in the space\n            below.\n\n\n\n\n                                    82\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                          REDACTED FOR PUBLIC RELEASE\n                                                                                  APPENDIX V\n\nWRITTEN, VERBAL, AND WEBSITE NOTIFICATIONS\n\nThe DOJ Victim Notification System is based on a victim\xe2\x80\x99s right to reasonable, accurate, and\ntimely notice of any public court or any parole proceeding involving the crime; or of any release\nor escape of the accused. The following questions relate to the different forms of notification\n(written, verbal, and website) by which victims in the VNS are notified .\n\nThe following questions relate to written notifications via the U.S mail, e-mail, fax, and\ninformation posted on the VNS website.\n\n10.    How easy is it for you to understand the information in the notifications?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85       Very easy to understand\n       \xc2\x85       Easy to understand\n       \xc2\x85       Understandable\n       \xc2\x85       Difficult to understand\n       \xc2\x85       Very difficult to understand\n       \xc2\x85       Extremely difficult to understand\n\n\n11.    Has there been conflicting information in any of the notifications you received?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85       Yes\n       \xc2\x85       No (Go to Question #12.)\n\n\n       11a.    If yes, did you report the conflicting information to the federal agency that sent\n               you the notification(s)? [Check (\xe2\x88\x9a) one that applies.]\n\n               \xc2\x85       Yes\n               \xc2\x85       No (Go to Question #12.)\n\n\n       11b.    If yes, did the agency resolve the conflict(s)? [Check (\xe2\x88\x9a) one that applies.]\n\n               \xc2\x85       Yes\n               \xc2\x85       No\n\n\n\n\n                                      83\n                          REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n                                                                               APPENDIX V\n\n12.   Have you ever found incorrect information in any notifications that you have received?\n      [Check (\xe2\x88\x9a) one that applies.]\n\n      \xc2\x85      Yes\n      \xc2\x85      No (Go to Question #13.)\n      \xc2\x85      I do not know (Go to Question #13.)\n\n\n      12a.   If yes, did you report the incorrect information to the federal agency that sent you\n             the notification? [Check (\xe2\x88\x9a) one that applies.]\n\n             \xc2\x85       Yes\n             \xc2\x85       No (Go to Question #13.)\n\n\n      12b.   If yes, did the agency correct the incorrect information? [Check (\xe2\x88\x9a) one that\n             applies.]\n\n             \xc2\x85       Yes\n             \xc2\x85       No\n\n\n13.   In your opinion, do you agree or disagree that you have been notified of all events (such\n      as public court proceedings) involving your case? [Check (\xe2\x88\x9a) one that applies.]\n\n      \xc2\x85      Strongly agree\n      \xc2\x85      Agree\n      \xc2\x85      Neutral\n      \xc2\x85      Disagree\n      \xc2\x85      Strongly disagree\n      \xc2\x85      I do not know.\n\n\n14.   Do you agree or disagree that you received timely notices well before the events?\n      [Check (\xe2\x88\x9a) one that applies.]\n\n      \xc2\x85      Strongly agree (Notices were received well before the events.) (Go to Question\n             #15.)\n      \xc2\x85      Agree (Go to Question #15.)\n      \xc2\x85      Neutral (Go to Question #15.)\n      \xc2\x85      Disagree\n      \xc2\x85      Strongly disagree (Notices were not received well before the events.)\n\n\n\n\n                                    84\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n                                                                               APPENDIX V\n\n      14a.   If notices were not timely, how often did you receive late notifications?\n             [Check (\xe2\x88\x9a) one that applies.]\n\n             \xc2\x85       1-3 times\n             \xc2\x85       4-6 times\n             \xc2\x85       7-9 times\n             \xc2\x85       10 times or more\n\n\n      14b.   If notices were not timely, did you ever miss an event you wanted to attend\n             because of a late notification? [Check (\xe2\x88\x9a) one that applies.]\n\n             \xc2\x85       Yes\n             \xc2\x85       No (Go to Question #15.)\n\n\n      14c.   If yes, how many events did you miss? [Check (\xe2\x88\x9a) one that applies.]\n\n             \xc2\x85       1-3 events\n             \xc2\x85       4-6 events\n             \xc2\x85       7-9 events\n             \xc2\x85       10 events or more\n\n\n15.   Did you participate in any event (for example, attend, speak, or submit a victim impact\n      statement) after receiving a notification? [Check (\xe2\x88\x9a) one that applies]\n\n      \xc2\x85      Yes\n      \xc2\x85      No\n      \xc2\x85      Not applicable\n\n\n16.   Were you ever not able to attend an event because the notification was unclear or\n      contained conflicting information? [Check (\xe2\x88\x9a) one that applies]\n\n      \xc2\x85      Yes\n      \xc2\x85      No\n      \xc2\x85      Not applicable\n\n\n\n\n                                    85\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n                                                                               APPENDIX V\n\n17.    Overall, how useful was the information provided to you in the notification(s)?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85      Very useful\n       \xc2\x85      Useful\n       \xc2\x85      Neutral\n       \xc2\x85      Not useful\n       \xc2\x85      Not at all useful\n\n\nThe following questions pertain to the VNS Internet Website.\n\n18.    Have you ever accessed the VNS website to review your case information?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85      Yes\n       \xc2\x85      No (Go to Question #30.)\n\n\n19.    How easy or hard was the process to set up your VNS website account?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85      Very easy\n       \xc2\x85      Somewhat easy\n       \xc2\x85      Neither hard nor easy\n       \xc2\x85      Somewhat hard\n       \xc2\x85      Very hard\n\n\n20.    How easy or hard is it to navigate or find information within the VNS website?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85      Very easy\n       \xc2\x85      Somewhat easy\n       \xc2\x85      Neither hard nor easy\n       \xc2\x85      Somewhat hard\n       \xc2\x85      Very hard\n\n\n\n\n                                     86\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n                                                                                APPENDIX V\n\n21.   How often have you accessed the VNS website for information? [Check (\xe2\x88\x9a) one that\n      applies.]\n\n      \xc2\x85      Every day\n      \xc2\x85      Weekly\n      \xc2\x85      Monthly\n      \xc2\x85      Quarterly\n      \xc2\x85      Annually\n      \xc2\x85      I have not accessed the website since I set up my account.\n\n\n22.   How easy was it for you to understand the information on the website?\n      [Check (\xe2\x88\x9a) one that applies.]\n\n      \xc2\x85      Very easy to understand\n      \xc2\x85      Easy to understand\n      \xc2\x85      Neither easy or difficult to understand\n      \xc2\x85      Difficult to understand\n      \xc2\x85      Very difficult to understand\n\n\n23.   Did you find all the information you wanted on the website? [Check (\xe2\x88\x9a) one that\n      applies.]\n\n      \xc2\x85      Found all information\n      \xc2\x85      Found almost all information\n      \xc2\x85      Found some information\n      \xc2\x85      Found little information\n      \xc2\x85      Did not find information\n\n\n24.   Was there conflicting information on the website? [Check (\xe2\x88\x9a) one that applies.]\n\n      \xc2\x85      Yes\n      \xc2\x85      No (Go to Question #25.)\n\n\n      24a.   If yes, did you report the conflicting information to any of the following entities?\n             [Check (\xe2\x88\x9a) all that apply.]\n\n             \xc2\x85      Investigative agency\n             \xc2\x85      U.S. Attorneys Office\n             \xc2\x85      VNS Call Center\n             \xc2\x85      Other\n\n\n\n                                    87\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                        REDACTED FOR PUBLIC RELEASE\n                                                                                APPENDIX V\n\n             \xc2\x85      I did not report the conflicting information.\n                    (Go to Question #25.)\n\n\n      24b.   Were information conflicts resolved? [Check (\xe2\x88\x9a) one that applies.]\n\n             \xc2\x85      Yes\n             \xc2\x85      No\n\n\n25.   Have you ever come across incorrect information in the website? [Check (\xe2\x88\x9a) one that\n      applies.]\n\n      \xc2\x85      Yes\n      \xc2\x85      No (Go to Question #26.)\n      \xc2\x85      I do not know (Go to Question #26.)\n\n\n      25a.   If yes, did you report the incorrect information to any of the following entities?\n             [Check (\xe2\x88\x9a) all that apply.]\n\n             \xc2\x85      Investigative agency\n             \xc2\x85      U.S. Attorneys Office\n             \xc2\x85      VNS Call Center\n             \xc2\x85      Other\n             \xc2\x85      I did not report the incorrect information.\n\n\n      25b.   Was the incorrect information corrected? [Check (\xe2\x88\x9a) one that applies.]\n\n             \xc2\x85      Yes\n             \xc2\x85      No\n\n\n26.   In your opinion, do you agree or disagree that notice of event(s) was posted on the VNS\n      website in a timely manner? [Check (\xe2\x88\x9a) one that applies.]\n\n      \xc2\x85      Strongly agree (Go to Question #27.)\n      \xc2\x85      Agree (Go to Question #27.)\n      \xc2\x85      Neutral (Go to Question #27.)\n      \xc2\x85      Disagree\n      \xc2\x85      Strongly disagree\n\n\n\n\n                                    88\n                        REDACTED FOR PUBLIC RELEASE\n\x0c                          REDACTED FOR PUBLIC RELEASE\n                                                                                APPENDIX V\n\n       26a.    If you disagree, did you miss an event because the information was posted too\n       late?\n               [Check (\xe2\x88\x9a) one that applies.]\n\n               \xc2\x85      Yes\n               \xc2\x85      No\n\n\n        26b.   How often have you noticed late posting(s) on the website? [Check (\xe2\x88\x9a) one that\napplies.]\n\n               \xc2\x85      1-3 times\n               \xc2\x85      4-6 times\n               \xc2\x85      7-9 times\n               \xc2\x85      10 times or more\n\n\n27.    Have you participated in any event (for example, attend, speak, or submit a victim impact\n       statement) after reviewing VNS website information? [Check (\xe2\x88\x9a) one that applies]\n\n       \xc2\x85       Yes\n       \xc2\x85       No\n\n\n28.    Overall, how useful is the information provided to you on the website?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85       Very useful\n       \xc2\x85       Useful\n       \xc2\x85       Neutral\n       \xc2\x85       Not useful\n       \xc2\x85       Not at all useful\n\n\n29.    If any, what information would you like to see added to the website?\n       (Please print your answer below.)\n\n\n\n\n                                      89\n                          REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n                                                                               APPENDIX V\n\nCALL CENTER \xe2\x80\x93 AUTOMATED INFORMATION AND LIVE ASSISTANCE\n\nThe following questions relate to the VNS Call Center, which provides victims with automated\ninformation and/or live assistance with their case, or live assistance with the VNS website.\n\n30.     Have you called the toll-free number to get Call Center assistance? [Check (\xe2\x88\x9a) one that\napplies.]\n\n       \xc2\x85      Yes\n       \xc2\x85      No (Go to Question #46.)\n       \xc2\x85      I do not recall (Go to Question #46.)\n\n\n       30a.   If yes, what type of assistance did you receive from the Call Center?\n              [Check (\xe2\x88\x9a) all that apply.]\n\n              \xc2\x85       Automated Assistance\n              \xc2\x85       Live Assistance\n              \xc2\x85       Both\n\n\n31.    Have you ever contacted the Call Center and hung up for any of the following reason(s)?\n       [Check (\xe2\x88\x9a) all that apply.]\n\n       \xc2\x85      It took too long to get help.\n       \xc2\x85      There were too many instructions to follow.\n       \xc2\x85      The automated call system was too difficult to use.\n       \xc2\x85      Other (please describe)\n\n\nPlease answer Questions #32-37 only if you have used the Call Center\xe2\x80\x99s automated system for\ncase information; otherwise go to Question #38.\n\n32.    How often have you used the automated system? [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85      Often\n       \xc2\x85      Sometimes\n       \xc2\x85      Rarely\n       \xc2\x85      Never (Go to Question #38.)\n\n\n\n\n                                     90\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                       REDACTED FOR PUBLIC RELEASE\n                                                                             APPENDIX V\n\n33.   How would you rate the automated system availability when you called?\n      [Check (\xe2\x88\x9a) one that applies.]\n\n      \xc2\x85      Always available\n      \xc2\x85      Often available\n      \xc2\x85      Sometimes available\n      \xc2\x85      Rarely available\n      \xc2\x85      Never available\n\n\n34.   How easy is it to access information through the automated system?\n      [Check (\xe2\x88\x9a) one that applies.]\n\n      \xc2\x85      Very easy\n      \xc2\x85      Easy\n      \xc2\x85      Somewhat easy\n      \xc2\x85      Not easy\n      \xc2\x85      Not easy at all\n\n\n35.   Is the information easy to hear on the automated system? [Check (\xe2\x88\x9a) one that applies.]\n\n      \xc2\x85      Yes\n      \xc2\x85      No\n\n\n36.   Did you receive the information you wanted from the automated system?\n      [Check (\xe2\x88\x9a) one that applies.]\n\n      \xc2\x85      Always received the information\n      \xc2\x85      Often received the information\n      \xc2\x85      Sometimes received the information\n      \xc2\x85      Rarely received the information\n      \xc2\x85      Never received the information\n\n\n37.   What additional information would you like made available from the Call Center\xe2\x80\x99s\n      automated system for case information? Please print your answer below.\n\n\n\n\n                                   91\n                       REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n                                                                              APPENDIX V\n\nAnswer Questions #38-41 only if you used live assistance for case information; otherwise go to\nQuestion #42.\n\n38.    How often have you used live assistance from the Call Center? [Check (\xe2\x88\x9a) one that\n       applies.]\n\n       \xc2\x85      Often\n       \xc2\x85      Sometimes\n       \xc2\x85      Rarely\n       \xc2\x85      Never (Go to Question #42.)\n\n\n39.    How would you rate the live assistance availability when you called?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85      Always available\n       \xc2\x85      Often available\n       \xc2\x85      Sometimes available\n       \xc2\x85      Rarely available\n       \xc2\x85      Never available\n\n\n40.    Did you receive the information you wanted? [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85      Always received the information\n       \xc2\x85      Often received the information\n       \xc2\x85      Sometimes received the information\n       \xc2\x85      Rarely received the information\n       \xc2\x85      Never received the information\n\n\n41.    What additional information would you like made available from the Call Center\xe2\x80\x99s live\n       assistance for case information? Please print your answer below.\n\n\nAnswer Questions #42-45 only if you used the Call Center for VNS website assistance; otherwise\ngo to Question #46.\n\n42.    Have you ever contacted the Call Center for VNS website assistance?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85      Yes\n       \xc2\x85      No (Go to Question #45.)\n\n\n\n\n                                     92\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n                                                                               APPENDIX V\n\n43.    For which of the following did you need VNS website assistance? [Check (\xe2\x88\x9a) all that\n       apply.]\n\n       \xc2\x85      Victim Identification Number (VIN)\n       \xc2\x85      Personal Identification Number (PIN)\n       \xc2\x85      VNS website access\n       \xc2\x85      Other VNS website questions (Please print your answer below.)\n\n\n44.    Did you receive the information about the VNS website you wanted from the Call Center\n       live assistance? [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85      Always received the information\n       \xc2\x85      Often received the information\n       \xc2\x85      Sometimes received the information\n       \xc2\x85      Rarely received the information\n       \xc2\x85      Never received the information\n\n\n45.    What additional information would you like made available from the Call Center for\n       VNS website assistance?\n       Please print your answer below.\n\n\nYOUR OPINION COUNTS\n\nYour opinion is very important to help improve the Victim Notification System. Please answer\nthe following questions about your experiences with the services and information provided by the\nVNS. Please print your answers in the space provided below each question.\n\n46.    What are the most beneficial services provided by the VNS?\n\n\n47.    What improvements would you like to see made to the VNS?\n\n\n48.    What additional information in the VNS would be useful to you?\n\n\nThank you for taking the time to complete the survey. Your participation is greatly appreciated\nand will help to improve the Department of Justice Victim Notification System.\n\n\n\n\n                                     93\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                          REDACTED FOR PUBLIC RELEASE\n                                                                                APPENDIX VI\n\n\n\n                   OFFICE OF THE INSPECTOR GENERAL\n                           OPT-OUT SURVEY\n\nThe U.S. Department of Justice developed the Victim Notification System (VNS) to provide\nimportant information to victims. Our records indicate that you are or were a victim of a federal\ncrime (or an alternate contact for a victim), but that you are currently not receiving notifications\nfrom the VNS. Please take a moment to answer the questions that apply to your situation.\n\n1.     Did you receive an Initial Notification Letter from a federal agency informing you about\n       the Victim Notification System that included your registrant identification number and\n       pin number?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85       Yes\n       \xc2\x85       No\n       \xc2\x85       Do not recall\n\n\n2.     Did you choose not to receive notification from the Victim Notification System?\n       [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85       Yes\n       \xc2\x85       No (Go to question #3a.)\n       \xc2\x85       Do not recall (Go to Question #3a.)\n\n\n       2a.     If yes, what was your reason for choosing not to receive notification from the\n               Victim Notification System?\n\n               \xc2\x85       Please print your answer below.\n\n               \xc2\x85       I do not recall the reason given.\n\n3.     If it was not your choice to stop receiving notification, were you informed by a federal\n       agency that you would no longer receive notification? [Check (\xe2\x88\x9a) one that applies.]\n\n       \xc2\x85       Yes\n       \xc2\x85       No (Go to question #4.)\n\n\n\n\n                                      94\n                          REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n                                                                               APPENDIX VI\n\n       3a.    If yes, what was the reason given? [Check (\xe2\x88\x9a) one that applies.]\n\n              \xc2\x85       Please print your answer below.\n\n              \xc2\x85       I do not recall the reason given. (Go to question #4.)\n\n       3b.    Was the reason given by the federal government agency to your satisfaction?\n\n              \xc2\x85       I was satisfied.\n\n              \xc2\x85       I was dissatisfied. (Please print your explanation below.)\n\n\n4.     Do you have any additional comments about the Victim Notification System?\n       [Please print your comments below.]\n\n\nThank you for taking the time to complete the survey. Your participation is greatly appreciated\nand will help our review of the Victim Notification System.\n\n\n\n\n                                     95\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n                                                              APPENDIX VII\n                     OPT-IN SURVEY\n        SCOPE, METHODOLOGY, AND RESPONSE REVIEW\n\n       This appendix describes the approach employed to extract the\nuniverse of victims to whom notifications were generated by the VNS during\nthe scope of our review. From this universe, a sample of registrant\nidentification numbers was selected and a questionnaire was sent to the\nsampled victims. Accordingly, the descriptions of the sample selection\nprocess and the survey response review are included in this appendix. Our\nobjective was to determine whether the VNS served its intended purpose\nand satisfied victims\xe2\x80\x99 expectations.\n\nScope\n\n       The scope of our universe consisted of opt-in victims with approved\nnotification information between October 1, 2004, and September 30, 2006.\n\xe2\x80\x9cOpt-in\xe2\x80\x9d is the status of a registered victim or contact allowing them to\nreceive notifications and access the VNS phone line and Internet web page.\n\nMethodology\n\n     To determine the number of victims registered in the VNS, we\nrequested specific data fields contained in the VNS database between\nOctober 1, 2004, and September 30, 2006. We obtained the data to select a\nsample of victims for our survey deployment.\n\n       The VNS creates a unique registrant identification number (Registrant\nID) to identify a victim. The Registrant ID data field was used as the anchor\ndata field in the universe extraction process. We requested data for each\nnotification phase (investigative, prosecution, and incarceration) using the\nRegistrant ID as the primary key for opt-in victims. We requested case\ninformation, such as the investigative case number, notification event, USAO\nagency name, USMS inmate number, custody status; and victim information,\nsuch as city, state, and country.\n\nData Organization and Sample Selection\n\n      We identified records associated to the opt-in victims and requested\nthe databases from EOUSA. We constructed the opt-in victim universe from\nthe received data download. We uploaded the databases to summarize the\ndata in order to compile the information and link tables to create a universe\nfrom which we could select the sample. There were a total of 621,276\nregistrant IDs we identified that were at least in 1 of the 3 phases during the\n\n                                96\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n                                                              APPENDIX VII\nscope of our audit. We then removed 4,000 registrant IDs that had\npreviously been surveyed by EOUSA to arrive at our final universe of\n618,201 unique sample units. We also created a sub-set of\n52,166 registrant IDs from the universe using the incarceration phase\xe2\x80\x99s\n\xe2\x80\x9cNotification Event Types\xe2\x80\x9d field with events that were related to the release\nof inmates.\n\n       We separated the universe into two categories for U.S. and non-U.S.\nRegistrant IDs using the victim information fields, state, and country. We\nthen stratified the universe of unique Registrant IDs and the incarceration\nphase release-related events sub-set. We then created nine strata through\nvarious grouping of the three phases and the incarceration release-related\nevents using the U.S. Registrant IDs to group them. The tenth stratum\nincluded the Registrant IDs with non-U.S. addresses and those with no\naddress information identified. The sample selection process included the\nsample sizes for each of the 10 strata that were statistically calculated. The\ntotal population size was 618,203 Registrant IDs, and the sample size was\n2,783.\n\nSurvey Response Review\n\n      We received a total of 691 surveys mailed back to us by the recipients.\nWe found that some respondents completed the survey, answered only\nsome of the questions, or included a comment without completing the\nsurvey. As a result, we reviewed the data to eliminate surveys that did not\ncontain useful information. Upon closer review of the data, we found\nrecords of surveys that did not have responses to all the questions in the\nsurvey. We identified and excluded those records with non-responses and\narrived at a data set of 531 records. We used the data in these 531 records\nfor analysis using the SPSS software package.\n\nConclusion\n\n      Of the total 618,201 unique VNS Registrant ID numbers opted into the\nsystem from October 1, 2004, through September 30, 2006, which were\nsuitable for our survey deployment, our sample size was 2,783. We\nreceived a total of 691 surveys, of which 531 were considered to have useful\nresponses.\n\n\n\n\n                                97\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                     REDACTED FOR PUBLIC RELEASE\n                                                              APPENDIX VIII\n\n                         OPT-OUT SURVEY\n                     SCOPE AND METHODOLOGY\n\n      The following methodology was employed for data analysis and used\nto obtain a functional universe for sample selection purposes. The\ntechniques in this analysis include, but were not limited to, exploratory\nanalysis, comparative analysis, and descriptive analysis. We describe the\nresults of the analysis at different phases, reasons for the analysis, and the\nsample methodology.\n\n      In the database of 347,716 opted-out records, there were a total of\n71,179 unique VNS Registrant IDs. In order to understand the reasons for\nopt out, we examined the data and we found four different types of data\nvalues and blanks in the field \xe2\x80\x9cOPT-OUT REASON\xe2\x80\x9d to include invalid address,\nuser choice, contact choice, no longer a victim, and blank fields.\n\n      We excluded the 52,029 VNS IDs that were associated with \xe2\x80\x9cInvalid\nAddress\xe2\x80\x9d and 6,025 records that had no information in both the city and\nstate columns of the database. The final universe of opt-out victims\ncontained 13,125 records (opt-out victims) and only included records that\nhad enough information for sample selection purposes.\n\n       In order to obtain a better response rate and useful responses to the\nquestions, we used a stratified sampling plan. The universe of\n13,125 unique Registrant IDs was stratified considering the combination of\nthe number of notifications and the values in the \xe2\x80\x9cOPT-OUT REASON\xe2\x80\x9d field\nfor a total of 489 sample Registrant IDs selected.\n\nOpt-out Survey Response Analysis\n\n      There were 58 respondents who responded to the opt-out survey.\nThere were 14 respondents who did not respond to all or most of the\nquestions in the survey. The responses from these 14 respondents were\nexcluded from further analysis. A frequency table of the remaining\n44 responses was saved and used for logical tests analyses.\n\n\n\n\n                                 98\n                     REDACTED FOR PUBLIC RELEASE\n\x0c                    REDACTED FOR PUBLIC RELEASE\n                                                               APPENDIX IX\n\n\n\n                OPT-IN SURVEY QUESTION 41\n\nWhat additional information would you like made available from the Call\nCenter\xe2\x80\x99s live assistance for case information?\n\n    No.                               Comment\n    1.    Called once.\n    2.    Someone who can translate in Navajo- Navajo legal terminology.\n    3.    Information about restitution.\n    4.    Plain and simply how to access live assistance. Couldn\'t figure\n          out how to get live assistance.\n    5.    Would like phone interview and additional space.\n    6.    Respond right away if anybody call in emergency case.\n    7.    The Call Center is hindered by minimal information details that\n          are not readily available.\n    8.    Survey person discuss what VNS was about.\n    9.    Don\'t Know.\n    10.   Why was information sent to me. I only called to get an\n          explanation of how my name was selected.\n    11.   Status of restitution- where\' my money and when will I get it.\n    12.   N/A\n    13.   I am not qualified to answer this.\n    14.   Is my case or status needed?\n    15.   Is the criminal in prison? Can we expect restitution of our stolen\n          money?\n    16.   How to log into my online account. Someone was supposed to\n          send me new info in the mail. I\'ve now been waiting almost one\n          year for it!\n    17.   XXXXX XXXXX was on vacation.\n    18.   None\n\n\n\n\n                                99\n                    REDACTED FOR PUBLIC RELEASE\n\x0c                REDACTED FOR PUBLIC RELEASE\n                                                          APPENDIX IX\n\n\nNo.                               Comment\n19.   More detailed information and awareness of the operators. They\n      were uneducated to fully answer my questions.\n20.   None\n21.   I would like to know more information on how my case is going.\n      I have heard nothing since April, 2006.\n22.   Update on the investigation!\n23.   Please have me informed what\'s going on.\n24.   I made the initial call in response to a bomb threat. I do not\n      know any information after the initial report.\n25.   Actual Assistance\n26.   Time frame on our money.\n27.   Updated, current info in custody??\n28.   Want system to work.\n29.   Can\'t think of anything.\n\n\n\n\n                            100\n                REDACTED FOR PUBLIC RELEASE\n\x0c    REDACTED FOR PUBLIC RELEASE\n                                  APPENDIX X\n\n THE VICTIM NOTIFICATION SYSTEM\xe2\x80\x99S\nVULNERABILITY ASSESSMENT RESULTS\n\n\n\n [SENSITIVE INFORMATION REDACTED]\n\n\n\n\n                101\n    REDACTED FOR PUBLIC RELEASE\n\x0c    REDACTED FOR PUBLIC RELEASE\n                                  APPENDIX XI\n THE VICTIM INTERNET SYSTEM\xe2\x80\x99S\nWEB APPLICATION TESTING RESULTS\n\n\n\n [SENSITIVE INFORMATION REDACTED]\n\n\n\n\n                102\n    REDACTED FOR PUBLIC RELEASE\n\x0c                         REDACTED FOR PUBLIC RELEASE\n                                                                    APPENDIX XII\n EXECUTIVE OFFICE FOR UNITED STATES ATTORNEYS\n                   RESPONSE\n\n\n                      U.S. Department of Justice\n\n                      Executive Office for United States Attorneys\n\n\nOffice of Legal Programs and Policy             Suite 7600, Bicentennial Building       (202) 616-6444\n                                                600 E Street, NW                    FAX (202) 616-6647\n                                                Washington, D.C. 20530-0001\n\n\n\n\n                                                January 17, 2008\n\nMEMORANDUM\n\nTO:              Raymond J. Beaudet\n                 Assistant Inspector General for Audit\n                 Office of the Inspector General\n\n\n                       /s/\nFROM:            Kenneth E. Melson\n                 Director\n\nSUBJECT:         Response to OIG Report on the Department\xe2\x80\x99s\n                 Victim Notification System\n\n       Thank you for the opportunity to review the Department of\nJustice, Office of the Inspector General\xe2\x80\x99s (OIG) draft audit report\nentitled, \xe2\x80\x9cThe Department of Justice\xe2\x80\x99s Victim Notification System.\xe2\x80\x9d The\nExecutive Office for United States Attorneys (EOUSA) is proud of what\nit has accomplished with the Victim Notification System (VNS) since its\nimplementation in January 2002. Since that time, 31,891,296\nnotification events have been provided to over one million victims of\nfederal crimes. The VNS is the most robust system in the country for\nproviding notification to victims of crime, far surpassing any other\nsystem in its complexity and the number of notifications sent. It also\nis the only system which we are aware of that by default opts-in all\nvictims of crimes. Without the system, the United States Attorneys\xe2\x80\x99\nOffices (USAO) would not be capable of meeting the requirements of\nthe Crime Victims Rights Act to provide victims with notification of all\npublic court proceedings. EOUSA concurs with most of the\n\n                                     103\n                         REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n                                                        APPENDIX XII\nrecommendations resulting from this review and provides its response\nbelow.\n\n      Providing notifications to victims requires the cooperation of\nmany organizations beyond EOUSA and we will work with the USAOs,\nother Department components, and the other government agencies to\nresolve and implement solutions to the OIG\xe2\x80\x99s findings. EOUSA expects\nthe full cooperation of all the parties mentioned in working to continue\nto improve our ability to provide notifications of public court\nproceedings to victims of crime and will take all appropriate steps to\nhelp achieve compliance with OIG\xe2\x80\x99s recommendations.\n\n       VNS provides notifications worldwide to victims of every\nbackground and experience, regarding an immense array of crimes\nand types of proceedings. It is necessarily broad and simple in its\ndelivery. Its role is not to provide victims with all information they\nmay want, or to inform victims about the system itself. That role is\nbest handled by individuals who know the facts of the case and can\nthoroughly explain the situation to a victim. The role of VNS is to\nassist the Department with its provision of statutorily-mandated victim\nnotifications. EOUSA will continue to seek to improve VNS to ensure\nthat notifications are accurate and timely; however, VNS cannot\nreplace the human interaction by USAO personnel with victims to\nprovide them with additional information concerning their cases.\n\n      Documentation detailing EOUSA\xe2\x80\x99s efforts to implement the action\nplan will be provided to the OIG until all corrective actions are taken.\n\nACTION PLAN\n\nRecommendation 1: Develop a written plan to: (1) archive VNS\ndata, which should include a schedule for the initial archiving,\nparameters for subsequent archiving, and the criteria it will\nutilize to determine the records ready for archiving; or (2)\nacquire new equipment that will resolve the capacity issue.\n\nResponse to Recommendation 1: Regarding the archiving of data,\nthe OIG found \xe2\x80\x9c. . . because data in the VNS has never been archived,\nstorage space on the VNS server has been filled to almost 80 percent\nof its capacity, affecting both data access speed and performance of\nthe System.\xe2\x80\x9d Archival of data was included as a contract requirement\nin order to lessen the impact on system performance. However,\nEOUSA would note that despite the decline in performance resulting\nfrom the capacity issues, the System continued to operate within the\n\n                             104\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n                                                        APPENDIX XII\nparameters of the contract as evidenced by the monthly performance\nreports.\n\nDuring the period covered by the OIG report new equipment was\nacquired by EOUSA and the installation of that equipment was\ncompleted on October 20, 2007. Funding for this equipment was\nprovided in part from the annual OVC grant for VNS ($284,640) and\nfrom funds provided by EOUSA ($116,960). The replacement of the\nold equipment has alleviated the storage space issues for the projected\nlife span of the new equipment and negates the necessity for archiving\ndata. The next VNS contract has been tasked with addressing the\nissue of data archival in light of the decreasing cost of on-line data\nstorage and the significant technology advances in this area.\n\nRecommendation 2: Ensure that it is utilizing the newer\nversion of the Tracker software, called Front Range, to allow\nfor a more user-friendly data extraction and reporting function.\nFurther, ensure that Front Range\'s feature that automatically\ne-mails the caller upon the closing of a ticket has been enabled\nand is being utilized to the fullest extent.\n\nResponse to Recommendation 2: As part of the Call Center/Help\nDesk procedure contacts by victims and government users of the\nSystem with the contractor staff are logged and notes of the substance\nof the contact are maintained. The software used by the contractor for\nthis purpose was Tracker. As noted in the Report on page 13, Tracker\nwas replaced with Front Range on July 5, 2007.\n\nEOUSA does plan to implement the email feature available within Front\nRange to survey individuals upon the closing of a \xe2\x80\x9cticket\xe2\x80\x9d regarding\ncustomer satisfaction with the Help Desk. This feature is expected to\nbe implemented in a future release to VNS.\n\nRecommendation 3: Develop a universal interface for federal\ninvestigative agencies to upload data directly to the VNS.\n\nResponse to Recommendation 3: EOUSA has considered the\nuniversal interface one of several priorities since we conceived the idea\nalmost three years ago. However, the enactment of the CVRA in 2004\nhas forced EOUSA to adopt many changes in VNS to accommodate\nthat new law. As noted in the OIG report, funding for VNS actually\ndeclined since FY 2004. However, EOUSA accomplished the required\nchanges to implement the CVRA within the declining allocation\nprovided by OVC. Absent those demands on the VNS budget, the\n\n                             105\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n                                                         APPENDIX XII\nuniversal interface would likely have been implemented. EOUSA does\nplan to proceed with the universal interface when adequate funds are\nmade available by OVC.\n\nRecommendation 4: Work with the AOUSC to develop the\nhardware to connect the VNS and the AOUSC, develop a plan to\nconnect individual federal court districts to the VNS using this\ninterface, and endeavor to ensure that all federal districts are\nconnected to the VNS.\n\nResponse to Recommendation 4: EOUSA and AOUSC have agreed\nto develop the ability to connect individual district courts to VNS. That\ntechnical development is underway and the projected completion date\nis late March 2008. Approximately 94 percent of this project was\nfunded by EOUSA; a minimal amount was funded from the OVC annual\ngrant to EOUSA for VNS. (Total expenditure $726,078, OVC funded\n$46,038.)\n\nAs part of the project with AOUSC, EOUSA intends to develop a plan to\npromote the connection of the individual district Courts to VNS. We\nbelieve this plan will ultimately result in the majority of U.S. District\nCourts participating in the VNS. However, absent Congressional\naction, the Department of Justice as part of the Executive Branch of\nthe government will not be able to \xe2\x80\x9censure\xe2\x80\x9d the Courts, as part of the\nJudicial Branch, connect to VNS.\n\nIt must be noted that while EOUSA was able to provide funding for\nVNS this one fiscal year, we will not be able to continue to supplement\nfunding for VNS in the future and must rely on sufficient funds being\nprovided by OVC to continue with the operation, maintenance and\nenhancements for this System.\n\nRecommendation 5: Work with VNS-participating agencies to\ndevelop and implement procedures for federal VNS users to\nensure that victims\xe2\x80\x99 contact information is current and\nupdated.\n\nResponse to Recommendation 5: EOUSA agrees that it is essential\nthat VNS contain current and accurate victim-contact information so\nthat victims receive timely notification of court events. EOUSA also\nnotes that frequently, it is difficult to obtain up-to-date victim contact\ninformation during the course of a criminal investigation. For example,\nin large-victim cases, often the only source of victim contact\ninformation is from a defendant\xe2\x80\x99s files, and this information can be\n\n                              106\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n                                                       APPENDIX XII\nincomplete or inaccurate. In addition, victims often will move without\ninforming investigators of their new addresses. In spite of these\ninherent difficulties, EOUSA will work with VNS-participating agencies\nto develop and implement additional procedures to ensure that victim\ncontact information is as up-to-date and accurate as possible.\n\nRecommendation 6: Develop long-range plans for the VNS and\nits management that include: (1) future software and hardware\nupgrades, (2) replacement of outdated equipment, (3)\nexpansion of VNS server storage capacity, (4) a projection of\nenhancements needed to account for the future needs of\ngovernment and victim users, and (5) a formal succession plan\nfor VNS project management.\n\nResponse to Recommendation 6: (1) Future hardware and\nsoftware upgrades are currently being addressed by the next VNS\ncontract which is scheduled for award in 2008. That agreement will\nrequire the contractor to provide a plan for periodic replacement of\nVNS hardware and/or software; (2) the \xe2\x80\x9coutdated\xe2\x80\x9d equipment referred\nto in the Report was replaced on October 20, 2007; (3) Server storage\ncapacity was resolved with the October 20, 2007 equipment\nreplacement. Future storage issues will be part of the contract life\ncycle plans incorporated in the next VNS contract (see Response to\nRecommendation #1) ; (4) Regarding a plan for future enhancements,\nin early September 2007, EOUSA held a conference for USAO\nvictim/witness staff members at the National Advocacy Center in\nColumbia, South Carolina. During that conference approximately 67\nstaff members representing offices from across the country attended a\nsession dedicated to soliciting ideas for improving VNS and long range\nneeds for users and victims. Those ideas will be used in conjunction\nwith the next VNS contract to plan for the future. The new contract\nwill contain provisions for the contractor to evaluate the current\ntechnology and to provide proposals for improvements to the System.\nHowever, any such long range plans for future needs are subject to\nsufficient funds, beyond the static allotment which has been furnished\nto EOUSA for this program since 2002, being made available from\nOVC; (5) EOUSA is responsible for maintaining several of the\nDepartment\xe2\x80\x99s largest systems including LIONS, CDCS, and USA-5.\nProgram managers have changed a number of times for these systems\nand others, so EOUSA does not believe there is reason for concern that\nthere is no written succession plan for the program manager of VNS;\nhowever, EOUSA will provide the OIG with a written plan in the near\nfuture.\n\n\n                             107\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n                                                         APPENDIX XII\nRecommendation 7: Work with VNS-participating agencies to\ndevelop and implement a nationwide procedure for addressing\nundeliverable correspondence and e-mail.\n\nResponse to Recommendation 7: Regarding undeliverable email\nnotices, the use of email as a notification method has increased\nsignificantly since FY05 due to an engineering change implemented in\nearly FY06. (Successful emails: FY05 - 34,358; FY06 - 598,073; FY07\n868,857. Successful means VNS generated and transmitted the email\nnotice.) EOUSA has recognized the need to address the undeliverable\nemail issues, however, the need to devote the limited amount of VNS\nfunding to CVRA related issues has impacted our ability to resolve this\nmatter. The new VNS contract will require a technical solution to this\nissue; however the technical change cannot be made until sufficient\nfunding is made available.\n\nRegarding undeliverable correspondence, EOUSA does encourage\nUSAOs to make their best efforts to follow up on returned mail to\nobtain more accurate addresses. Further, it must be acknowledged\nthat it is the responsibility of investigative agencies to ensure that\naccurate addresses are initially entered into VNS. However,\nrecognizing the importance of ensuring that victims receive\nnotifications, EOUSA will work with other agencies to develop a\nnationwide policy regarding returned mail.\n\nRecommendation 8: Improve the Call Center automated\nassistance to allow callers to reach an operator at any point\nduring a call.\n\nResponse to Recommendation 8: The current Call Center process,\nwhich only allows access to the Help Desk by victims once the ID/PIN\nis correctly entered, was engineered to provide some authentication\nfor the Help Desk to assist in protecting the victim\xe2\x80\x99s personal\ninformation in the System. However, we agree the System should\npermit a caller to reach an operator at any point after the user ID/PIN\nhas been authenticated. An engineering change to allow this access\nwill be considered for a future release to VNS.\n\nRecommendation 9: Follow up with the sub-contractor at the\nVNS Call Center to fulfill its requirement to have a Spanish-\nspeaking operator available during all hours of operation.\n\nResponse to Recommendation 9: Section C.5.10(b)(4) of the VNS\ncontract requires: \xe2\x80\x9cThe victim must also have the option of speaking\n\n                             108\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n                                                         APPENDIX XII\ndirectly with a Call Center operator (during Call Center hours of\noperation, see Section C.6) to obtain case information in either English\nor Spanish.\xe2\x80\x9d According to the contractor, about one operator call per\nmonth requires a fluent Spanish speaking operator. The VNS Project\nManager has discussed the requirement with the VNS contractor.\nCurrently, the Call Center has one fluent Spanish speaker and the\nremaining staff has some Spanish speaking capability. The contractor\nis aware of the requirement and is taking steps to recruit Spanish\nspeakers.\n\nIn the interim, we have devised a plan which will make use of a\ndepartment within Appriss which provides Spanish translations. If a\nSpanish speaker is not available at the Call Center, the Call Center will\ncontact by telephone the Appriss translation department (located in\nthe same building as the VNS Call Center), establish a 3-way call and\nhave the Appriss division provide the translation for the Help Desk.\nThis is intended as temporary solution until such time as the Call\nCenter can hire operators fluent in Spanish.\n\nRecommendation 10: Work with the USMS to ensure that the\naccurate custody status of defendants is available to victims\nutilizing VNS services.\n\nResponse to Recommendation 10: In September 2007, EOUSA\nfunded the cost of the engineering changes which will allow VNS to\naccept custody status data directly from the USMS. EOUSA has been\nin contact with USMS regarding this interface between the two\nsystems, and plans to have VNS ready to accept data from USMS by\nMarch 2008. Once implemented, the data from USMS will provide VNS\nand victims with the current custody status of the defendant while\ntheir case is being litigated.\n\nRecommendation 11: Ensure that information regarding\nrestitution is consistent throughout the VIS so that it is clear to\nvictims whether restitution information is available to them.\n\nResponse to Recommendation 11: EOUSA will undertake\nadditional review of VIS regarding the consistency of the information\nprovided regarding the availability of restitution.\n\nRecommendation 12: Work with VNS-participating agencies to\ndevelop a requirement for federal VNS users to record a reason\nfor opting a victim out of the VNS.\n\n\n                             109\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n                                                        APPENDIX XII\nResponse to Recommendation 12: EOUSA will request an\nengineering change to VNS which will require users to select one of the\nopt-out reasons when electing to stop notifications from being\nprovided to a registered victim. This change will need to be carried\nover to various screens and reports in VNS involving the opt-out\nfunction. When sufficient funding is made available this change will be\nimplemented.\n\nRecommendation 13: Perform data integrity checks and\nimplement the encryption of data files received to ensure\ncompletion and accuracy in accordance with Department policy.\n\nResponse to Recommendation 13: The EOUSA notes that all VNS\ndata files are validated for format as part of the VNS import process;\nany incomplete or malformed files are rejected, thereby reducing the\nrisk to system integrity and availability. Partial session encryption,\nrather than complete session encryption, is utilized for data transfers\nfrom the FBI and BOP; thereby providing partial rather than complete\nassurance of data integrity. The EOUSA VNS Program Management\noffice is currently testing complete session encryption with the FBI,\nBOP, and the Justice Management Division (Rockville Data Center).\n\nRecommendation 14: Update the VNS system security plan to\nreflect complete and accurate user identification and\nauthentication security information as required by Department\nstandards.\n\nResponse to Recommendation 14: The EOUSA has updated the\nSystem Security Plan as appropriate, including revision of user\nidentification and authentication implementation.\n\nRecommendation 15: Ensure that a disclaimer notification is\ndeveloped for the VIS application to notify users when they are\nabout to visit a third party website through a hyperlink.\n\nResponse to Recommendation 15: The VNS Program Management\noffice will implement a disclaimer statement for VIS.\n\nRecommendation 16: Modify the VIS application to protect\nagainst common web attacks in accordance with the\nrecommendations listed for the specific vulnerabilities in\nAppendix XI.\n\n\n\n                             110\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                  REDACTED FOR PUBLIC RELEASE\n                                                          APPENDIX XII\nResponse to Recommendation 16: The EOUSA will assess VIS\napplication with a leading commercial web application vulnerability\nassessment utility and implement corrective actions as appropriate.\nThe EOUSA will explicitly test for the vulnerabilities listed in Appendix\nXI.\n\nRecommendation 17: Terminate unnecessary or vulnerable\nservices identified on the VNS servers.\n\nResponse to Recommendation 17: The EOUSA has completed\nactions to terminate unnecessary services on the VNS servers.\n\nRecommendation 18: Apply application and server patches in a\ntimely manner.\n\nResponse to Recommendation 18: The EOUSA Enterprise\nVulnerability Management Program (EVMP) scans and assesses VNS\nnetworks and systems for vulnerabilities on a regular periodic basis\n(each month) and also on an irregular ad hoc basis. Application and\nserver patches are analyzed, risks weighed, and finally resolved to\neither be corrected or accepted as risk. Due to technical and business\nconsiderations, not all patches are applied. In accordance with the\nDOJ IT Security Program Management Plan, the EOUSA will continue to\nresolve vulnerabilities in a timely manner. Patches selected for\nimplementation will continue to be applied in accordance with\ndocumented VNS configuration management processes.\n\nRecommendation 19: Adequately secure network devices and\nserver configurations in accordance with the recommendations\nlisted for the specific vulnerabilities in Appendix X.\n\nResponse to Recommendation 19: The EOUSA continues to assess\nVNS infrastructure on a regular periodic basis with the DOJ standard\nassessment utility in accordance with the DOJ IT Security Program\nPlan. Several vulnerabilities listed in Appendix X have been corrected.\nOthers have been confirmed as false positives. The EOUSA will\ncontinuously monitor and assess VNS for vulnerabilities and implement\ncorrective actions as appropriate to maintain an acceptable level of\nrisk.\n\n     Thank you again for the opportunity to provide comments to the\nReport.\n\n\n\n                              111\n                  REDACTED FOR PUBLIC RELEASE\n\x0c                REDACTED FOR PUBLIC RELEASE\n                                                      APPENDIX XIII\n OFFICE OF THE INSPECTOR GENERAL ANALYSIS AND\n         SUMMARY OF ACTIONS NECESSARY\n              TO CLOSE THE REPORT\n\n      In its response to our draft audit report, EOUSA concurred with\nour recommendations. This appendix provides our analyses of EOUSA\xe2\x80\x99s\nresponses, including the actions needed to close each recommendation.\n\nStatus of Recommendations\n\n1.   Resolved. In its response to our draft report recommendation\n     to develop a written plan for archiving VNS data or acquiring\n     new equipment to resolve the capacity issue, EOUSA stated that\n     it installed new equipment on October 20, 2007. EOUSA stated\n     that replacing the old equipment has alleviated storage space\n     issues for the projected lifespan of the new equipment. EOUSA\n     further stated that it would address data archiving in the next\n     VNS contract.\n\n     To close this recommendation, please provide us with a copy of\n     the next VNS contract, including information regarding the\n     archiving of VNS data.\n\n2.   Resolved. In response to our recommendation to ensure that it\n     utilizes the newer version of Tracker software for Call\n     Center/Help Desk functions, EOUSA stated that Tracker was\n     replaced with Front Range on July 5, 2007. EOUSA further\n     stated that in a future release to the VNS, it plans to implement\n     the Front Range e-mail function that surveys individuals upon\n     the closing of a \xe2\x80\x9cticket\xe2\x80\x9d regarding customer satisfaction with the\n     Help Desk.\n\n     To close this recommendation, please provide evidence that\n     EOUSA has replaced Tracker with Front Range. Additionally,\n     please provide evidence that EOUSA has implemented the Front\n     Range feature for surveying individuals upon closing of a\n     \xe2\x80\x9cticket.\xe2\x80\x9d\n\n3.   Resolved. EOUSA is in agreement with our recommendation to\n     develop a universal interface for federal investigative agencies to\n     upload data directly to the VNS. EOUSA stated that it plans to\n     proceed with the universal interface when funding is made\n     available by the OVC.\n\n                            112\n                REDACTED FOR PUBLIC RELEASE\n\x0c                REDACTED FOR PUBLIC RELEASE\n                                                       APPENDIX XIII\n\n\n     To close this recommendation, please provide us with evidence\n     that the universal interface has been developed and is being\n     utilized by federal investigative agencies to upload data directly\n     to the VNS.\n\n4.   Resolved. In its response to the draft report, EOUSA advised\n     that it and the Administrative Office of the U.S. Courts (AOUSC)\n     have agreed to develop the ability to connect individual district\n     courts to the VNS. Further, EOUSA stated that development is\n     underway and the project is expected to be completed in late\n     March 2008. However, EOUSA noted that it cannot ensure that\n     all district courts are connected because the Courts, as part of\n     the Judicial Branch, are not part of DOJ.\n\n     To close this recommendation, please provide us, when\n     available, evidence that the technical development of an\n     EOUSA/AOUSC interface is complete. Further, please provide\n     us, when developed, with a copy of the plan to promote the\n     connection of the individual district courts to the VNS. Finally,\n     once the plans are complete, please provide us with evidence of\n     individual district courts that agree to be connected to the VNS.\n\n5.   Resolved. In its response to our recommendation to work with\n     VNS-participating agencies to develop and implement procedures\n     for federal VNS users to ensure that victims\xe2\x80\x99 contact information\n     is current and updated, EOUSA agreed that it is essential that\n     the VNS contain current and accurate victim-contact information.\n     According to EOUSA, though, it will work with VNS-participating\n     agencies to develop and implement additional procedures to\n     ensure that victim contact information is as up-to-date and\n     accurate as possible.\n\n     To close this recommendation, please provide us with evidence\n     of your efforts to work with VNS-participating agencies to\n     develop and implement additional procedures to ensure that\n     victim contact information is as up-to-date and accurate as\n     possible.\n\n6.   Resolved. EOUSA provided information, by specific area, in\n     response to our recommendation to develop long-range plans for\n     the VNS and its management.\n\n\n\n                            113\n                REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n                                                      APPENDIX XIII\n      To close this recommendation, please provide us with: (1) a\n      copy of the next VNS contract, when available, which includes a\n      plan for periodic replacement of hardware and software;\n      (2) evidence of how ideas that came out of the September 2007\n      meeting have been used to plan for the future; and (3) a copy of\n      EOUSA\xe2\x80\x99s written succession plan for VNS program management.\n\n7.    Resolved. In its response to our draft report, EOUSA concurred\n      with our recommendation to work with VNS-participating\n      agencies to develop and implement a nationwide procedure for\n      addressing undeliverable correspondence and e-mail.\n\n      To close this recommendation, please provide us the portion of\n      the next VNS contract, when available, containing a technical\n      solution to the issue of returned e-mail notices. Additionally,\n      please provide evidence of how EOUSA is working with other\n      agencies to develop a nationwide policy regarding returned mail.\n\n8.    Resolved. EOUSA agreed with our recommendation to improve\n      Call Center automated assistance to allow callers to reach an\n      operator at any point during a call. Further, EOUSA stated that\n      an engineering change to allow this access will be considered for\n      a future release to the VNS.\n\n      To close this recommendation, please provide evidence of the\n      engineering change to the VNS, which will allow callers to reach\n      an operator at any point during a call to the VNS Call Center.\n\n9.    Resolved. In its response to our recommendation to follow up\n      with its contractor to fulfill its requirement to have a Spanish-\n      speaking operator available during all hours of operation, EOUSA\n      stated that the VNS Project Manager has discussed this issue with\n      its contractor. EOUSA further advised that it has developed an\n      interim plan that makes use of another department of the\n      contractor that provides Spanish translations. EOUSA stated this\n      is a temporary solution until additional Spanish-speaking\n      operators can be hired.\n\n      To close this recommendation, please provide us with evidence of\n      the steps the contractor is taking to recruit Spanish speakers and,\n      when it occurs, evidence that these employees have been hired.\n\n10.   Resolved. EOUSA concurred with our recommendation to work\n      with the United States Marshals Service (USMS) to ensure that\n\n                             114\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n                                                        APPENDIX XIII\n      the accurate custody status of defendants is available to victims\n      utilizing the VNS. Moreover, EOUSA stated that it is in contact\n      with the USMS regarding this issue and plans to have VNS ready\n      to accept USMS data by March 2008.\n\n      To close this recommendation, please provide us with evidence\n      that the interface between the VNS and the USMS that will allow\n      the VNS to accept USMS custody status data has been developed\n      and is functioning.\n\n11.   Resolved. In its response to our draft report, EOUSA stated\n      that it will review the VIS regarding the consistency of restitution\n      information and availability.\n\n      To close this recommendation, please provide evidence of\n      EOUSA\xe2\x80\x99s review of restitution information available in the VIS.\n      This review should provide details of EOUSA\xe2\x80\x99s review, including\n      an examination of the consistency of the information and\n      directions provided.\n\n12.   Resolved. EOUSA concurred with our recommendation to work\n      with VNS-participating agencies to develop a requirement for\n      federal VNS users to record a reason for opting a victim out of the\n      VNS.\n\n      To close this recommendation, please provide us, once developed,\n      with documentation of the engineering change request that will\n      require users to select one of the opt-out reasons when electing to\n      stop notifications to a registered victim. Additionally, please\n      provide us evidence that this function has been implemented.\n\n13.   Resolved. EOUSA concurred with our recommendation and is in\n      the process of implementing data integrity checks and\n      encryption procedures to ensure that transmitted data from the\n      BOP and FBI are complete and accurate, as required by\n      Department policy.\n\n      To close this recommendation, please provide evidence (e.g.,\n      screen shots and approved change control sheets) that data\n      integrity checks and encryption of transmitted BOP and FBI data\n      files are being performed for the VNS.\n\n14.   Resolved. EOUSA concurred with our recommendation and\n      stated that it has updated the VNS\xe2\x80\x99s system security plan to\n\n                             115\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n                                                       APPENDIX XIII\n      include accurate user identification and authentication security\n      information.\n\n      To close this recommendation, please provide us a copy of the\n      updated system security plan.\n\n15.   Resolved. EOUSA concurred with our recommendation and\n      plans to ensure that a disclaimer notification is developed for the\n      VIS application to notify users when they are about to visit a\n      third-party website through a hyperlink.\n\n      To close this recommendation, please provide evidence (such as\n      screen shots and approved change control sheets) that this\n      disclaimer notification has been implemented for the VIS.\n\n16.   Resolved. EOUSA concurred with our recommendation to\n      modify the VIS application to protect against common web\n      attacks. EOUSA plans to assess the VIS application with a\n      leading commercial web application vulnerability assessment tool\n      and implement corrective actions as appropriate.\n\n      To close this recommendation, please provide EOUSA\xe2\x80\x99s VIS\n      vulnerability assessment results and evidence that corrective\n      actions have been implemented.\n\n17.   Resolved. In response to our recommendation, EOUSA stated\n      that is has completed actions to terminate unnecessary or\n      vulnerable services identified on the VNS servers.\n\n      To close this recommendation, please provide evidence that\n      these actions have been completed.\n\n18.   Resolved. EOUSA concurred with our recommendation and\n      stated that application and server patches are applied timely.\n      However, EOUSA indicated that not all patches are applied due\n      to technical and business considerations. Furthermore, EOUSA\n      plans to continue to apply selected patches in accordance with\n      documented VNS configuration management processes.\n\n      To close this recommendation, please provide evidence that\n      application and server patches are applied in a timely manner in\n      accordance with Department policies. EOUSA should ensure that\n      approved waivers from the Department are maintained for those\n      patches that are not applied. Additionally, the risks associated\n\n                             116\n                 REDACTED FOR PUBLIC RELEASE\n\x0c                 REDACTED FOR PUBLIC RELEASE\n                                                        APPENDIX XIII\n      with the vulnerabilities for failure to apply the patches should be\n      approved and documented within the VNS\xe2\x80\x99s risk assessment.\n\n19.   Resolved. EOUSA concurred with our recommendation to\n      adequately secure network devices and server configurations.\n      As a result, EOUSA also plans to regularly assess the VNS\xe2\x80\x99s\n      infrastructure using the Department\xe2\x80\x99s standard assessment tool.\n      Furthermore, EOUSA indicated that some vulnerabilities listed in\n      Appendix X are now identified by their officials as being false\n      positive. However, EOUSA was presented with the vulnerability\n      assessment results performed by our auditors during the course\n      of the audit, but did not identify any of the vulnerabilities as\n      being false positive.\n\n      To close this recommendation, please provide evidence that\n      EOUSA has adequately secured network devices and server\n      configurations for vulnerabilities identified in Appendix X.\n      EOUSA should also provide evidence of the compensating\n      controls used for those vulnerabilities listed in Appendix X that\n      EOUSA has recently identified as false positive.\n\n\n\n\n                             117\n                 REDACTED FOR PUBLIC RELEASE\n\x0c'